Bug 1263888 - Push TypeBarrier after ArraySlice. r=jandem
authorTooru Fujisawa <arai_a@mac.com>
Thu, 14 Apr 2016 16:41:36 +0900
changeset 293269 6f330fed23146feb54337db0ea94780be788bfc2
parent 293268 eeb6c9316ff31b5a4f2aaed2db678aabdf2a97f1
child 293270 c70372e8bd86cfb1c568a20448f88ce88f3c98e9
push id18749
push usercbook@mozilla.com
push dateFri, 15 Apr 2016 12:01:19 +0000
treeherderfx-team@8f7045b63b07 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1263888
milestone48.0a1
Bug 1263888 - Push TypeBarrier after ArraySlice. r=jandem
js/src/jit-test/tests/auto-regress/bug1263888.js
js/src/jit/MCallOptimize.cpp
js/src/jit/MIR.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1263888.js
@@ -0,0 +1,3 @@
+Array.prototype.constructor = [];
+for (let i = 0; i < 100; i++)
+    [].slice();
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -885,16 +885,20 @@ IonBuilder::inlineArraySlice(CallInfo& c
                                         templateObj,
                                         templateObj->group()->initialHeap(constraints()),
                                         unboxedType);
     current->add(ins);
     current->push(ins);
 
     if (!resumeAfter(ins))
         return InliningStatus_Error;
+
+    if (!pushTypeBarrier(ins, getInlineReturnTypeSet(), BarrierKind::TypeSet))
+        return InliningStatus_Error;
+
     return InliningStatus_Inlined;
 }
 
 IonBuilder::InliningStatus
 IonBuilder::inlineMathAbs(CallInfo& callInfo)
 {
     if (callInfo.argc() != 1 || callInfo.constructing()) {
         trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -9918,17 +9918,16 @@ class MArraySlice
                 MDefinition* begin, MDefinition* end,
                 JSObject* templateObj, gc::InitialHeap initialHeap, JSValueType unboxedType)
       : MTernaryInstruction(obj, begin, end),
         templateObj_(templateObj),
         initialHeap_(initialHeap),
         unboxedType_(unboxedType)
     {
         setResultType(MIRType_Object);
-        setResultTypeSet(obj->resultTypeSet());
     }
 
   public:
     INSTRUCTION_HEADER(ArraySlice)
 
     static MArraySlice* New(TempAllocator& alloc, CompilerConstraintList* constraints,
                             MDefinition* obj, MDefinition* begin, MDefinition* end,
                             JSObject* templateObj, gc::InitialHeap initialHeap,