Restore the Type Object before the allocation. (no bug, r=dvander)

2024-09-13 09:24:08 -07:00 · 2012-03-23 14:52:11 -07:00 · 2012-03-23 14:52:11 -07:00 · 9fea02c04e
commit 9fea02c04e
parent 2b39e09f87
5 changed files with 40 additions and 7 deletions
--- a/js/src/ion/CodeGenerator.cpp
+++ b/js/src/ion/CodeGenerator.cpp
@ -871,9 +871,10 @@ CodeGenerator::visitNewArray(LNewArray *lir)
 bool
 CodeGenerator::visitNewObject(LNewObject *lir)
 {
-    typedef JSObject *(*pf)(JSContext *, JSObject *);
-    static const VMFunction Info = FunctionInfo<pf>(CopyInitializerObject);
+    typedef JSObject *(*pf)(JSContext *, JSObject *, types::TypeObject *);
+    static const VMFunction Info = FunctionInfo<pf>(NewInitObject);

+    pushArg(ImmGCPtr(lir->mir()->type()));
    pushArg(ImmGCPtr(lir->mir()->baseObj()));
    return callVM(Info, lir);
 }
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@ -2739,7 +2739,14 @@ IonBuilder::jsop_newobject(JSObject *baseObj)
    // Don't bake in the TypeObject for non-CNG scripts.
    JS_ASSERT(script->hasGlobal());

-    MNewObject *ins = MNewObject::New(baseObj);
+    types::TypeObject *type = NULL;
+    if (!types::UseNewTypeForInitializer(cx, script, pc)) {
+        type = types::TypeScript::InitObject(cx, script, pc, JSProto_Object);
+        if (!type)
+            return false;
+    }
+
+    MNewObject *ins = MNewObject::New(baseObj, type);

    current->add(ins);
    current->push(ins);
--- a/js/src/ion/MIR.h
+++ b/js/src/ion/MIR.h
@ -980,9 +980,11 @@ class MNewArray : public MNullaryInstruction
 class MNewObject : public MNullaryInstruction
 {
    HeapPtrObject baseObj_;
+    HeapPtr<types::TypeObject> type_;

-    MNewObject(JSObject *baseObj)
-      : baseObj_(baseObj)
+    MNewObject(JSObject *baseObj, types::TypeObject *type)
+      : baseObj_(baseObj),
+        type_(type)
    {
        setResultType(MIRType_Object);
    }
@ -990,13 +992,16 @@ class MNewObject : public MNullaryInstruction
  public:
    INSTRUCTION_HEADER(NewObject);

-    static MNewObject *New(JSObject *baseObj) {
-        return new MNewObject(baseObj);
+    static MNewObject *New(JSObject *baseObj, types::TypeObject *type) {
+        return new MNewObject(baseObj, type);
    }

    JSObject *baseObj() const {
        return baseObj_;
    }
+    types::TypeObject *type() const {
+        return type_;
+    }
 };

 // Designates the start of call frame construction.
--- a/js/src/ion/VMFunctions.cpp
+++ b/js/src/ion/VMFunctions.cpp
@ -216,6 +216,24 @@ NewInitArray(JSContext *cx, uint32_t count, types::TypeObject *type)
    return obj;
 }

+JSObject*
+NewInitObject(JSContext *cx, JSObject *baseObj, types::TypeObject *type)
+{
+    JSObject *obj = CopyInitializerObject(cx, baseObj);
+    if (!obj)
+        return NULL;
+
+    if (!type) {
+        if (!obj->setSingletonType(cx))
+            return NULL;
+
+        types::TypeScript::Monitor(cx, ObjectValue(*obj));
+    } else {
+        obj->setType(type);
+    }
+
+    return obj;
+}

 } // namespace ion
 } // namespace js
--- a/js/src/ion/VMFunctions.h
+++ b/js/src/ion/VMFunctions.h
@ -321,7 +321,9 @@ bool IteratorMore(JSContext *cx, JSObject *obj, JSBool *res);

 bool CloseIteratorFromIon(JSContext *cx, JSObject *obj);

+// Allocation functions for JSOP_NEWARRAY and JSOP_NEWOBJECT
 JSObject *NewInitArray(JSContext *cx, uint32_t count, types::TypeObject *type);
+JSObject *NewInitObject(JSContext *cx, JSObject *baseObj, types::TypeObject *type);

 } // namespace ion
 } // namespace js