Bug 1538006 - Don't emit unbarriered writes to an object if its group might change. r=tcampbell, a=dveditz
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 21 Mar 2019 22:47:55 +0000
changeset 465629 2c49e736571bdcf4d8897eab3c3ad6d4a079f664
parent 465628 6b61fd0bb5973b023524911dee3aeb4dc1346df7
child 465634 6332e136b825c0203318aedd24a080f1be6e72e2
push id81179
push userapavel@mozilla.com
push dateFri, 22 Mar 2019 10:03:49 +0000
treeherderautoland@f65d0b7ddc15 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell, dveditz
bugs1538006
milestone68.0a1
first release with
nightly linux32
2c49e736571b / 68.0a1 / 20190322012300 / files
nightly linux64
2c49e736571b / 68.0a1 / 20190322012300 / files
nightly mac
2c49e736571b / 68.0a1 / 20190322012300 / files
nightly win32
2c49e736571b / 68.0a1 / 20190322012300 / files
nightly win64
2c49e736571b / 68.0a1 / 20190322012300 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1538006 - Don't emit unbarriered writes to an object if its group might change. r=tcampbell, a=dveditz Differential Revision: https://phabricator.services.mozilla.com/D24448
js/src/jit/MIR.cpp
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -6298,20 +6298,24 @@ bool jit::PropertyWriteNeedsTypeBarrier(
   // If all of the objects being written to have property types which already
   // reflect the value, no barrier at all is needed. Additionally, if all
   // objects being written to have the same types for the property, and those
   // types do *not* reflect the value, add a type barrier for the value.
 
   bool success = true;
   for (size_t i = 0; i < types->getObjectCount(); i++) {
     TypeSet::ObjectKey* key = types->getObject(i);
-    if (!key || key->unknownProperties()) {
+    if (!key) {
       continue;
     }
 
+    if (!key->hasStableClassAndProto(constraints)) {
+      return true;
+    }
+
     // TI doesn't track TypedArray indexes and should never insert a type
     // barrier for them.
     if (!name && IsTypedArrayClass(key->clasp())) {
       continue;
     }
 
     jsid id = name ? NameToId(name) : JSID_VOID;
     HeapTypeSetKey property = key->property(id);
@@ -6358,19 +6362,24 @@ bool jit::PropertyWriteNeedsTypeBarrier(
 
   if (types->getObjectCount() <= 1) {
     return true;
   }
 
   TypeSet::ObjectKey* excluded = nullptr;
   for (size_t i = 0; i < types->getObjectCount(); i++) {
     TypeSet::ObjectKey* key = types->getObject(i);
-    if (!key || key->unknownProperties()) {
+    if (!key) {
       continue;
     }
+
+    if (!key->hasStableClassAndProto(constraints)) {
+      return true;
+    }
+
     if (!name && IsTypedArrayClass(key->clasp())) {
       continue;
     }
 
     jsid id = name ? NameToId(name) : JSID_VOID;
     HeapTypeSetKey property = key->property(id);
     if (CanWriteProperty(alloc, constraints, property, *pvalue, implicitType)) {
       continue;