Bug 1532289 - Fix missing pre-write barrier for BigInt values in Ion r=jandem
☠☠ backed out by ed1aa72d1ba3 ☠ ☠
authorAndy Wingo <wingo@igalia.com>
Tue, 05 Mar 2019 15:02:57 +0000
changeset 520303 19047d153c2f5ddf5184def2be0745d2f1d936a8
parent 520302 664638fa249e1d9ba53fb82acd8c72e96affb234
child 520304 7f2bda80e47996b542d4c8f602f88a4af6b84f16
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1532289
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1532289 - Fix missing pre-write barrier for BigInt values in Ion r=jandem Differential Revision: https://phabricator.services.mozilla.com/D21941
js/src/jit-test/tests/gc/bug1532289.js
js/src/vm/TypeInference.cpp
js/src/vm/TypeSet.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug1532289.js
@@ -0,0 +1,10 @@
+// |jit-test| --ion-warmup-threshold=0; --ion-offthread-compile=off
+
+gczeal(4,40);
+
+var x;
+var y = false;
+
+function f(v) { x = v; while (y) {} }
+
+for (var z=1; z < 1e5; z++) { f(BigInt(z)); }
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -1847,17 +1847,17 @@ JSObject* HeapTypeSetKey::singleton(Comp
 }
 
 bool HeapTypeSetKey::needsBarrier(CompilerConstraintList* constraints) {
   TypeSet* types = maybeTypes();
   if (!types) {
     return false;
   }
   bool result = types->unknownObject() || types->getObjectCount() > 0 ||
-                types->hasAnyFlag(TYPE_FLAG_STRING | TYPE_FLAG_SYMBOL);
+                types->hasAnyFlag(TYPE_FLAG_PRIMITIVE_GCTHING);
   if (!result) {
     freeze(constraints);
   }
   return result;
 }
 
 namespace {
 
--- a/js/src/vm/TypeSet.h
+++ b/js/src/vm/TypeSet.h
@@ -82,20 +82,26 @@ enum : uint32_t {
   TYPE_FLAG_INT32 = 0x8,
   TYPE_FLAG_DOUBLE = 0x10,
   TYPE_FLAG_STRING = 0x20,
   TYPE_FLAG_SYMBOL = 0x40,
   TYPE_FLAG_BIGINT = 0x80,
   TYPE_FLAG_LAZYARGS = 0x100,
   TYPE_FLAG_ANYOBJECT = 0x200,
 
+  /* Mask containing all "immediate" primitives (not heap-allocated) */
+  TYPE_FLAG_PRIMITIVE_IMMEDIATE = TYPE_FLAG_UNDEFINED | TYPE_FLAG_NULL |
+      TYPE_FLAG_BOOLEAN | TYPE_FLAG_INT32 | TYPE_FLAG_DOUBLE,
+  /* Mask containing all GCThing primitives (heap-allocated) */
+  TYPE_FLAG_PRIMITIVE_GCTHING =
+      TYPE_FLAG_STRING | TYPE_FLAG_SYMBOL | TYPE_FLAG_BIGINT,
+
   /* Mask containing all primitives */
-  TYPE_FLAG_PRIMITIVE = TYPE_FLAG_UNDEFINED | TYPE_FLAG_NULL |
-                        TYPE_FLAG_BOOLEAN | TYPE_FLAG_INT32 | TYPE_FLAG_DOUBLE |
-                        TYPE_FLAG_STRING | TYPE_FLAG_SYMBOL | TYPE_FLAG_BIGINT,
+  TYPE_FLAG_PRIMITIVE =
+      TYPE_FLAG_PRIMITIVE_IMMEDIATE | TYPE_FLAG_PRIMITIVE_GCTHING,
 
   /* Mask/shift for the number of objects in objectSet */
   TYPE_FLAG_OBJECT_COUNT_MASK = 0x3c00,
   TYPE_FLAG_OBJECT_COUNT_SHIFT = 10,
   TYPE_FLAG_OBJECT_COUNT_LIMIT = 7,
   TYPE_FLAG_DOMOBJECT_COUNT_LIMIT =
       TYPE_FLAG_OBJECT_COUNT_MASK >> TYPE_FLAG_OBJECT_COUNT_SHIFT,