Bug 1517690 - Fix BaselineInspector to match new CacheIR ops for WindowProxy unwrapping. r=evilpie
authorJan de Mooij <jdemooij@mozilla.com>
Fri, 04 Jan 2019 17:47:39 +0000
changeset 452561 4b3fc8b9128035c63821078328c73fbc525d1950
parent 452560 5088f1dd3230fd48b243e3ae3f56e3a0e4982837
child 452562 4658f4891f79f944fdb6db6c5ccb3a5a22d3b91b
child 452616 1054653e187dc65cf6451104ee63561fe5565d0d
push id35314
push usershindli@mozilla.com
push dateFri, 04 Jan 2019 21:48:06 +0000
treeherdermozilla-central@4b3fc8b91280 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersevilpie
bugs1517690
milestone66.0a1
first release with
nightly linux32
4b3fc8b91280 / 66.0a1 / 20190104214806 / files
nightly linux64
4b3fc8b91280 / 66.0a1 / 20190104214806 / files
nightly mac
4b3fc8b91280 / 66.0a1 / 20190104214806 / files
nightly win32
4b3fc8b91280 / 66.0a1 / 20190104214806 / files
nightly win64
4b3fc8b91280 / 66.0a1 / 20190104214806 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1517690 - Fix BaselineInspector to match new CacheIR ops for WindowProxy unwrapping. r=evilpie Differential Revision: https://phabricator.services.mozilla.com/D15729
js/src/jit/BaselineInspector.cpp
js/src/jit/CacheIR.cpp
--- a/js/src/jit/BaselineInspector.cpp
+++ b/js/src/jit/BaselineInspector.cpp
@@ -1085,36 +1085,42 @@ static bool AddCacheIRGetPropFunction(
   //   Call(Scripted|Native)GetterResult objId
   //
   // If |innerized| is true, we replaced a WindowProxy with the Window
   // object and we're only interested in Baseline getter stubs that performed
   // the same optimization. This means we expect the following ops for the
   // [..WindowProxy innerization..] above:
   //
   //   GuardClass objId WindowProxy
-  //   objId = LoadObject <global>
+  //   objId = LoadWrapperTarget objId
+  //   GuardSpecificObject objId, <global>
 
   CacheIRReader reader(stub->stubInfo());
 
   ObjOperandId objId = ObjOperandId(0);
   if (!reader.matchOp(CacheOp::GuardIsObject, objId)) {
     return AddCacheIRGlobalGetter(stub, innerized, holder, holderShape,
                                   commonGetter, globalShape, isOwnProperty,
                                   receivers, convertUnboxedGroups, script);
   }
 
   if (innerized) {
     if (!reader.matchOp(CacheOp::GuardClass, objId) ||
         reader.guardClassKind() != GuardClassKind::WindowProxy) {
       return false;
     }
-    if (!reader.matchOp(CacheOp::LoadObject)) {
+
+    if (!reader.matchOp(CacheOp::LoadWrapperTarget, objId)) {
       return false;
     }
     objId = reader.objOperandId();
+
+    if (!reader.matchOp(CacheOp::GuardSpecificObject, objId)) {
+      return false;
+    }
     DebugOnly<JSObject*> obj =
         stub->stubInfo()
             ->getStubField<JSObject*>(stub, reader.stubOffset())
             .get();
     MOZ_ASSERT(obj->is<GlobalObject>());
   }
 
   ReceiverGuard receiver;
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -1138,16 +1138,18 @@ bool js::jit::IsWindowProxyForScriptGlob
   // mutable document.domain). See bug 1516775.
   return window == &script->global();
 }
 
 // Guards objId is a WindowProxy for windowObj. Returns the window's operand id.
 static ObjOperandId GuardAndLoadWindowProxyWindow(CacheIRWriter& writer,
                                                   ObjOperandId objId,
                                                   GlobalObject* windowObj) {
+  // Note: update AddCacheIRGetPropFunction in BaselineInspector.cpp when making
+  // changes here.
   writer.guardClass(objId, GuardClassKind::WindowProxy);
   ObjOperandId windowObjId = writer.loadWrapperTarget(objId);
   writer.guardSpecificObject(windowObjId, windowObj);
   return windowObjId;
 }
 
 bool GetPropIRGenerator::tryAttachWindowProxy(HandleObject obj,
                                               ObjOperandId objId, HandleId id) {