[INFER] Don't keep using garbage IC after a native triggers recompilation, bug 617589.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 08 Dec 2010 11:52:21 -0800
changeset 74649 6f89a3ddb09e70af3a5f272abed889199c4e2d6b
parent 74648 0b73d74d343d71fb48d0083719a1e9668feb2f88
child 74650 9256ed2447649d9ab0b74d5c85c11a0e62483dc2
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs617589
milestone2.0b8pre
[INFER] Don't keep using garbage IC after a native triggers recompilation, bug 617589.
js/src/jit-test/tests/jaeger/recompile/callic.js
js/src/jit-test/tests/jaeger/recompile/propic.js
js/src/methodjit/MonoIC.cpp
--- a/js/src/jit-test/tests/jaeger/recompile/callic.js
+++ b/js/src/jit-test/tests/jaeger/recompile/callic.js
@@ -10,8 +10,18 @@ function foo() {
     with ({}) {
       eval("g = undefined;");
     }
   }
 }
 foo();
 
 assertEq(g, NaN);
+
+/* Recompilation while being processed by a native call IC. */
+
+function native() {
+  var x;
+  x = x;
+  x = Math.ceil(NaN);
+  assertEq(x, NaN);
+}
+native();
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/recompile/propic.js
@@ -0,0 +1,24 @@
+
+/* Recompilation while being processed by property ICs. */
+
+var ga = 10;
+var gb = 10;
+
+Object.defineProperty(Object.prototype, "a", {
+    set: function(a) { eval("ga = true;"); },
+    get: function() { eval("gb = true;"); }
+  });
+
+function foo() {
+  var x = {};
+  x.a = 10;
+  assertEq(ga + 1, 2);
+}
+foo();
+
+function bar() {
+  var x = {};
+  var a = x.a;
+  assertEq(gb + 1, 2);
+}
+bar();
--- a/js/src/methodjit/MonoIC.cpp
+++ b/js/src/methodjit/MonoIC.cpp
@@ -684,19 +684,25 @@ class CallCompiler : public BaseCompiler
 
         JSFunction *fun = obj->getFunctionPrivate();
         if ((!callingNew && !fun->isNative()) || (callingNew && !fun->isConstructor()))
             return false;
 
         if (callingNew)
             vp[1].setMagicWithObjectOrNullPayload(NULL);
 
+        uint32 recompilations = jit->recompilations;
+
         if (!CallJSNative(cx, fun->u.n.native, ic.frameSize.getArgc(f), vp))
             THROWV(true);
 
+        /* Don't touch the IC if the call triggered a recompilation. */
+        if (f.jit()->recompilations != recompilations)
+            return true;
+
         /* Right now, take slow-path for IC misses or multiple stubs. */
         if (ic.fastGuardedNative || ic.hasJsFunCheck)
             return true;
 
         /* Native MIC needs to warm up first. */
         if (!ic.hit) {
             ic.hit = true;
             return true;