Bug 895782 - Fix callsite cloning interaction with inline dispatch in Ion redux. (r=jandem)
authorShu-yu Guo <shu@rfrn.org>
Mon, 22 Jul 2013 16:12:06 -0700
changeset 151805 36e656434fb3733ee1acb75bbd8360f8b843e4f1
parent 151804 719257a27dbba6b2ee9170ed94f97183544b98f4
child 151806 23dda916c3d021b2eb69ad8b93f6a902ea6c1b46
push id2859
push userakeybl@mozilla.com
push dateMon, 16 Sep 2013 19:14:59 +0000
treeherdermozilla-beta@87d3c51cd2bf [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs895782
milestone25.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 895782 - Fix callsite cloning interaction with inline dispatch in Ion redux. (r=jandem)
js/src/ion/IonBuilder.cpp
js/src/jit-test/tests/parallelarray/bug895782.js
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -4230,31 +4230,33 @@ IonBuilder::inlineCalls(CallInfo &callIn
         // inlineSingleCall() changed |current| to the inline return block.
         MBasicBlock *inlineReturnBlock = current;
         setCurrent(dispatchBlock);
 
         // Connect the inline path to the returnBlock.
         //
         // Note that guarding is on the original function pointer even
         // if there is a clone, since cloning occurs at the callsite.
-        dispatch->addCase(&originals[i]->as<JSFunction>(), inlineBlock);
+        dispatch->addCase(original, inlineBlock);
 
         MDefinition *retVal = inlineReturnBlock->peek(-1);
         retPhi->addInput(retVal);
         inlineReturnBlock->end(MGoto::New(returnBlock));
         if (!returnBlock->addPredecessorWithoutPhis(inlineReturnBlock))
             return false;
     }
 
     // Patch the InlinePropertyTable to not dispatch to vetoed paths.
+    //
+    // Note that like above, we trim using originals instead of targets.
     if (maybeCache) {
         maybeCache->object()->setResultTypeSet(cacheObjectTypeSet);
 
         InlinePropertyTable *propTable = maybeCache->propTable();
-        propTable->trimTo(targets, choiceSet);
+        propTable->trimTo(originals, choiceSet);
 
         // If all paths were vetoed, output only a generic fallback path.
         if (propTable->numEntries() == 0) {
             JS_ASSERT(dispatch->numCases() == 0);
             maybeCache = NULL;
         }
     }
 
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/parallelarray/bug895782.js
@@ -0,0 +1,10 @@
+// Don't crash
+
+Object.defineProperty(this, "y", {
+  get: function() {
+    return Object.create(x)
+  }
+})
+x = ParallelArray([1142], function() {})
+x = x.partition(2)
+y + y