Bug 899572 - IonMonkey: Don't emit SetElementCache when there are setters, r=nbp
authorHannes Verschore <hv1989@gmail.com>
Wed, 31 Jul 2013 15:07:39 +0200
changeset 140749 4a1e0eb4539c43c9601bfbed595f04a57ab3e908
parent 140748 8d0d262985d94b36c0c373547342be9f0c2d85b0
child 140750 d2e6989ff928abb6a79248457cc0f17df59b0b8a
push id25037
push userryanvm@gmail.com
push dateWed, 31 Jul 2013 17:42:12 +0000
treeherdermozilla-central@c4dd1430498a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs899572
milestone25.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 899572 - IonMonkey: Don't emit SetElementCache when there are setters, r=nbp
js/src/ion/IonCaches.cpp
--- a/js/src/ion/IonCaches.cpp
+++ b/js/src/ion/IonCaches.cpp
@@ -2650,16 +2650,33 @@ IsElementSetInlineable(HandleObject obj,
         return false;
 
     if (obj->watched())
         return false;
 
     if (!index.isInt32())
         return false;
 
+    // The object may have a setter definition,
+    // either directly, or via a prototype, or via the target object for a prototype
+    // which is a proxy, that handles a particular integer write.
+    // Scan the prototype and shape chain to make sure that this is not the case.
+    JSObject *curObj = obj;
+    while (curObj) {
+        // Ensure object is native.
+        if (!curObj->isNative())
+            return false;
+
+        // Ensure all indexed properties are stored in dense elements.
+        if (curObj->isIndexed())
+            return false;
+
+        curObj = curObj->getProto();
+    }
+
     return true;
 }
 
 bool
 SetElementIC::attachDenseElement(JSContext *cx, IonScript *ion, JSObject *obj, const Value &idval)
 {
     JS_ASSERT(obj->isNative());
     JS_ASSERT(idval.isInt32());