Avoid skipping sync code in GETPROP PIC on non-length accesses which can invoke a getter, bug 717184. r=dvander
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 11 Jan 2012 17:42:58 -0800
changeset 85549 ebb34e2325778e6be9d312c7619e25585bc7561f
parent 85548 16f0d80b3137f26f033e681d6e1d17675af32448
child 85550 4abbedf5b4ca3e532f84c7c020fa2629f6e542e1
push id805
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 18:17:35 +0000
treeherdermozilla-aurora@6fb3bf232436 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdvander
bugs717184
milestone12.0a1
Avoid skipping sync code in GETPROP PIC on non-length accesses which can invoke a getter, bug 717184. r=dvander
js/src/methodjit/Compiler.cpp
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -4636,51 +4636,56 @@ mjit::Compiler::jsop_getprop(PropertyNam
      */
     RegisterID objReg = frame.copyDataIntoReg(top);
     RegisterID shapeReg = frame.allocReg();
 
     RESERVE_IC_SPACE(masm);
 
     PICGenInfo pic(ic::PICInfo::GET, JSOp(*PC));
 
-    /* Guard that the type is an object. */
-    Label typeCheck;
-    if (doTypeCheck && !top->isTypeKnown()) {
-        RegisterID reg = frame.tempRegForType(top);
-        pic.typeReg = reg;
-
-        /* Start the hot path where it's easy to patch it. */
-        pic.fastPathStart = masm.label();
-        Jump j = masm.testObject(Assembler::NotEqual, reg);
-        typeCheck = masm.label();
-        RETURN_IF_OOM(false);
-
-        pic.typeCheck = stubcc.linkExit(j, Uses(1));
-        pic.hasTypeCheck = true;
-    } else {
-        pic.fastPathStart = masm.label();
-        pic.hasTypeCheck = false;
-        pic.typeReg = Registers::ReturnReg;
-    }
-
     /*
      * If this access has been on a shape with a getter hook, make preparations
      * so that we can generate a stub to call the hook directly (rather than be
      * forced to make a stub call). Sync the stack up front and kill all
      * registers so that PIC stubs can contain calls, and always generate a
      * type barrier if inference is enabled (known property types do not
      * reflect properties with getter hooks).
      */
     pic.canCallHook = pic.forcedTypeBarrier =
         !forPrototype &&
         JSOp(*PC) == JSOP_GETPROP &&
-        name != cx->runtime->atomState.lengthAtom &&
         analysis->getCode(PC).accessGetter;
-    if (pic.canCallHook)
-        frame.syncAndKillEverything();
+
+    /* Guard that the type is an object. */
+    Label typeCheck;
+    if (doTypeCheck && !top->isTypeKnown()) {
+        RegisterID reg = frame.tempRegForType(top);
+        pic.typeReg = reg;
+
+        if (pic.canCallHook) {
+            PinRegAcrossSyncAndKill p1(frame, reg);
+            frame.syncAndKillEverything();
+        }
+
+        /* Start the hot path where it's easy to patch it. */
+        pic.fastPathStart = masm.label();
+        Jump j = masm.testObject(Assembler::NotEqual, reg);
+        typeCheck = masm.label();
+        RETURN_IF_OOM(false);
+
+        pic.typeCheck = stubcc.linkExit(j, Uses(1));
+        pic.hasTypeCheck = true;
+    } else {
+        if (pic.canCallHook)
+            frame.syncAndKillEverything();
+
+        pic.fastPathStart = masm.label();
+        pic.hasTypeCheck = false;
+        pic.typeReg = Registers::ReturnReg;
+    }
 
     pic.shapeReg = shapeReg;
     pic.name = name;
 
     /* Guard on shape. */
     masm.loadShape(objReg, shapeReg);
     pic.shapeGuard = masm.label();