Bug 1075638 - GuardShape should expect template objects from CreateThisWithTemplate. r=jandem
--- a/js/src/jit/ScalarReplacement.cpp
+++ b/js/src/jit/ScalarReplacement.cpp
@@ -134,16 +134,22 @@ EmulateStateOf<MemoryView>::run(MemoryVi
// For the moment, this code is dumb as it only supports objects which are not
// changing shape, and which are known by TI at the object creation.
static bool
IsObjectEscaped(MInstruction *ins)
{
MOZ_ASSERT(ins->type() == MIRType_Object);
MOZ_ASSERT(ins->isNewObject() || ins->isGuardShape() || ins->isCreateThisWithTemplate());
+ JSObject *obj = nullptr;
+ if (ins->isNewObject())
+ obj = ins->toNewObject()->templateObject();
+ else if (ins->isCreateThisWithTemplate())
+ obj = ins->toCreateThisWithTemplate()->templateObject();
+
// Check if the object is escaped. If the object is not the first argument
// of either a known Store / Load, then we consider it as escaped. This is a
// cheap and conservative escape analysis.
for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) {
MNode *consumer = (*i)->consumer();
if (!consumer->isDefinition()) {
// Cannot optimize if it is observable from fun.arguments or others.
if (!consumer->toResumePoint()->isRecoverableOperand(*i)) {
@@ -179,17 +185,17 @@ IsObjectEscaped(MInstruction *ins)
}
#endif
break;
}
case MDefinition::Op_GuardShape: {
MGuardShape *guard = def->toGuardShape();
MOZ_ASSERT(!ins->isGuardShape());
- if (ins->toNewObject()->templateObject()->lastProperty() != guard->shape()) {
+ if (obj->lastProperty() != guard->shape()) {
JitSpewDef(JitSpew_Escape, "Object ", ins);
JitSpewDef(JitSpew_Escape, " has a non-matching guard shape\n", guard);
return true;
}
if (IsObjectEscaped(def->toInstruction()))
return true;
break;
}