Bug 1505574 - Prohibit class changes on groups r=iain
authorMatthew Gaudet <mgaudet@mozilla.com>
Fri, 22 Mar 2019 15:34:03 +0000
changeset 465723 eb04dcf207a03d546827a7b7c77d36e5fb4aff58
parent 465722 2f776fa2433d6c44e42040792742aea3656f9b98
child 465724 a19a0fc91ddcf99695e8cd25f7b85d0170bb3994
push id35746
push usershindli@mozilla.com
push dateSat, 23 Mar 2019 09:46:24 +0000
treeherdermozilla-central@02b7484f316b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersiain
bugs1505574
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1505574 - Prohibit class changes on groups r=iain This is possible now that we no longer have unboxed objects Differential Revision: https://phabricator.services.mozilla.com/D24248
js/src/jit/CacheIR.cpp
js/src/jit/CacheIR.h
js/src/vm/ObjectGroup.h
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -4394,17 +4394,17 @@ bool SetPropIRGenerator::tryAttachAddSlo
 
   ObjOperandId objId = writer.guardIsObject(objValId);
   maybeEmitIdGuard(id);
 
   // In addition to guarding for type barrier, we need this group guard (or
   // shape guard below) to ensure class is unchanged. This group guard may also
   // implay maybeInterpretedFunction() for the special-case of function
   // prototype property set.
-  MOZ_ASSERT(!oldGroup->hasUncacheableClass() || obj->is<ShapedObject>());
+  MOZ_ASSERT(obj->is<ShapedObject>());
   writer.guardGroup(objId, oldGroup);
 
   // If we are adding a property to an object for which the new script
   // properties analysis hasn't been performed yet, make sure the stub fails
   // after we run the analysis as a group change may be required here. The
   // group change is not required for correctness but improves type
   // information elsewhere.
   AutoSweepObjectGroup sweep(oldGroup);
--- a/js/src/jit/CacheIR.h
+++ b/js/src/jit/CacheIR.h
@@ -760,17 +760,16 @@ class MOZ_RAII CacheIRWriter : public JS
     // Typesets will always be a super-set of any typesets previously seen
     // for this group. If the type/group of a value being stored to a
     // property in this group is not known, a TypeUpdate IC chain should be
     // used as well.
     guardGroup(obj, group);
   }
   void guardGroupForLayout(ObjOperandId obj, ObjectGroup* group) {
     // NOTE: Comment in guardGroupForTypeBarrier also applies.
-    MOZ_ASSERT(!group->hasUncacheableClass());
     MOZ_ASSERT(IsTypedObjectClass(group->clasp()));
     guardGroup(obj, group);
   }
   void guardProto(ObjOperandId obj, JSObject* proto) {
     assertSameCompartment(proto);
     writeOpWithOperandId(CacheOp::GuardProto, obj);
     addStubField(uintptr_t(proto), StubField::Type::JSObject);
   }
--- a/js/src/vm/ObjectGroup.h
+++ b/js/src/vm/ObjectGroup.h
@@ -178,31 +178,16 @@ class ObjectGroup : public gc::TenuredCe
   friend class gc::GCTrace;
 
   // See JSObject::offsetOfGroup() comment.
   friend class js::jit::MacroAssembler;
 
  public:
   const Class* clasp() const { return clasp_; }
 
-  void setClasp(const Class* clasp) {
-    MOZ_ASSERT(JS::StringIsASCII(clasp->name));
-    MOZ_ASSERT(hasUncacheableClass());
-    clasp_ = clasp;
-  }
-
-  // Certain optimizations may mutate the class of an ObjectGroup - and thus
-  // all objects in it - after it is created. If true, the JIT must not
-  // assume objects of a previously seen group have the same class as before.
-  //
-  // See: TryConvertToUnboxedLayout
-  //
-  // MG:Unboxed: Verify above comment still holds
-  bool hasUncacheableClass() const { return clasp_->isNative(); }
-
   bool hasDynamicPrototype() const { return proto_.isDynamic(); }
 
   const GCPtr<TaggedProto>& proto() const { return proto_; }
 
   GCPtr<TaggedProto>& proto() { return proto_; }
 
   void setProto(TaggedProto proto);
   void setProtoUnchecked(TaggedProto proto);