Bug 1315634 - Discard fallback resume points created on JSOP_CALLPROP if we are not inlining any function. r=h4writer
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Thu, 10 Nov 2016 13:44:31 +0100
changeset 348729 3930bf2158788bc3681992d61cc0d26614c8b388
parent 348728 a67f9e4b5faf56f66f454d58118cbea584a7f334
child 348730 459230d2ab75b5712f9c15e7640f6fe99d82a7f3
push id10298
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:33:03 +0000
treeherdermozilla-aurora@7e29173b1641 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersh4writer
bugs1315634
milestone52.0a1
Bug 1315634 - Discard fallback resume points created on JSOP_CALLPROP if we are not inlining any function. r=h4writer
js/src/jit-test/tests/backup-point-bug1315634.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/backup-point-bug1315634.js
@@ -0,0 +1,29 @@
+setJitCompilerOption('ion.forceinlineCaches', 1);
+function g(f, x) {
+    for (var j = 0; j < 3; ++j)
+        for (var k = 0; k < 21; ++k)
+            try {
+                f(x[k]);
+            } catch (e) {}
+}
+a0 = y = [];
+function f2() {
+    f1()
+};
+function f1() {
+    switch (abs(abs(3187503207)(134217728) | 0) | 0) {
+        case -2:
+            this.y.splice(NaN, 2, x({}) = 4277)
+    }
+    return
+    4006901336 | 0
+}
+g(f1, []);
+g(f2, []);
+f1 = (function() {
+    function f() {
+        a0.splice(NaN, 0);
+    }
+    return f;
+})();
+g(f2, []);
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -6771,16 +6771,19 @@ IonBuilder::jsop_call(uint32_t argc, boo
 
     // Try inlining
     InliningStatus status = inlineCallsite(targets, callInfo);
     if (status == InliningStatus_Inlined)
         return true;
     if (status == InliningStatus_Error)
         return false;
 
+    // Discard unreferenced & pre-allocated resume points.
+    replaceMaybeFallbackFunctionGetter(nullptr);
+
     // No inline, just make the call.
     JSFunction* target = nullptr;
     if (targets.length() == 1 && targets[0]->is<JSFunction>())
         target = &targets[0]->as<JSFunction>();
 
     if (target && status == InliningStatus_WarmUpCountTooLow) {
         MRecompileCheck* check =
             MRecompileCheck::New(alloc(), target->nonLazyScript(),