Bug 821551 - Correctly root all callers of elementWriteIsDenseArray; r=billm
authorTerrence Cole <terrence@mozilla.com>
Thu, 13 Dec 2012 17:54:20 -0800
changeset 125128 4fb4bbc6b029987b32f0eb82d86c8b40ae7b7fa6
parent 125127 032490690d651535e1d9ec2017403db8e166d29c
child 125129 0fb9ff76a1778ee3fbd57e9f3e6d8e0ce28d4587
push id2151
push userlsblakk@mozilla.com
push dateTue, 19 Feb 2013 18:06:57 +0000
treeherdermozilla-beta@4952e88741ec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs821551
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 821551 - Correctly root all callers of elementWriteIsDenseArray; r=billm
js/src/ion/IonBuilder.cpp
js/src/ion/TypeOracle.cpp
js/src/ion/TypeOracle.h
js/src/jit-test/tests/gc/bug-821551.js
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -4280,18 +4280,18 @@ IonBuilder::jsop_newobject(HandleObject 
     current->push(ins);
 
     return resumeAfter(ins);
 }
 
 bool
 IonBuilder::jsop_initelem()
 {
-    RootedScript scriptRoot(cx, script());
-    if (oracle->propertyWriteCanSpecialize(scriptRoot, pc)) {
+    if (oracle->propertyWriteCanSpecialize(script(), pc)) {
+        RootedScript scriptRoot(cx, script());
         if (oracle->elementWriteIsDenseArray(scriptRoot, pc))
             return jsop_initelem_dense();
     }
 
     return abort("NYI: JSOP_INITELEM supports for non dense objects/arrays.");
 }
 
 bool
@@ -5452,17 +5452,18 @@ IonBuilder::jsop_getelem_string()
     current->push(result);
     return true;
 }
 
 bool
 IonBuilder::jsop_setelem()
 {
     if (oracle->propertyWriteCanSpecialize(script(), pc)) {
-        if (oracle->elementWriteIsDenseArray(script(), pc))
+        RootedScript scriptRoot(cx, script());
+        if (oracle->elementWriteIsDenseArray(scriptRoot, pc))
             return jsop_setelem_dense();
 
         int arrayType = TypedArray::TYPE_MAX;
         if (oracle->elementWriteIsTypedArray(script(), pc, &arrayType))
             return jsop_setelem_typed(arrayType);
     }
 
     LazyArgumentsType isArguments = oracle->elementWriteMagicArguments(script(), pc);
@@ -6863,17 +6864,18 @@ IonBuilder::jsop_setaliasedvar(ScopeCoor
 
     current->add(store);
     return resumeAfter(store);
 }
 
 bool
 IonBuilder::jsop_in()
 {
-    if (oracle->inObjectIsDenseArray(script(), pc))
+    RootedScript scriptRoot(cx, script());
+    if (oracle->inObjectIsDenseArray(scriptRoot, pc))
         return jsop_in_dense();
 
     MDefinition *obj = current->pop();
     MDefinition *id = current->pop();
     MIn *ins = new MIn(id, obj);
 
     current->add(ins);
     current->push(ins);
--- a/js/src/ion/TypeOracle.cpp
+++ b/js/src/ion/TypeOracle.cpp
@@ -258,17 +258,17 @@ TypeInferenceOracle::propertyReadIdempot
 
 bool
 TypeInferenceOracle::propertyReadAccessGetter(JSScript *script, jsbytecode *pc)
 {
     return script->analysis()->getCode(pc).accessGetter;
 }
 
 bool
-TypeInferenceOracle::inObjectIsDenseArray(JSScript *script, jsbytecode *pc)
+TypeInferenceOracle::inObjectIsDenseArray(HandleScript script, jsbytecode *pc)
 {
     // Check whether the object is a dense array and index is int32 or double.
     StackTypeSet *id = script->analysis()->poppedTypes(pc, 1);
     StackTypeSet *obj = script->analysis()->poppedTypes(pc, 0);
 
     JSValueType idType = id->getKnownTypeTag();
     if (idType != JSVAL_TYPE_INT32 && idType != JSVAL_TYPE_DOUBLE)
         return false;
@@ -392,17 +392,17 @@ TypeInferenceOracle::elementReadGeneric(
 
     if (*cacheable)
         *monitorResult = (id == MIRType_String || script->analysis()->getCode(pc).getStringElement);
     else
         *monitorResult = true;
 }
 
 bool
-TypeInferenceOracle::elementWriteIsDenseArray(JSScript *script, jsbytecode *pc)
+TypeInferenceOracle::elementWriteIsDenseArray(HandleScript script, jsbytecode *pc)
 {
     // Check whether the object is a dense array and index is int32 or double.
     StackTypeSet *obj = script->analysis()->poppedTypes(pc, 2);
     StackTypeSet *id = script->analysis()->poppedTypes(pc, 1);
 
     JSValueType objType = obj->getKnownTypeTag();
     if (objType != JSVAL_TYPE_OBJECT)
         return false;
@@ -491,17 +491,17 @@ TypeInferenceOracle::arrayPrototypeHasIn
 
 bool
 TypeInferenceOracle::canInlineCalls()
 {
     return script()->analysis()->hasFunctionCalls();
 }
 
 bool
-TypeInferenceOracle::propertyWriteCanSpecialize(JSScript *script, jsbytecode *pc)
+TypeInferenceOracle::propertyWriteCanSpecialize(UnrootedScript script, jsbytecode *pc)
 {
     return !script->analysis()->getCode(pc).monitoredTypes;
 }
 
 bool
 TypeInferenceOracle::propertyWriteNeedsBarrier(JSScript *script, jsbytecode *pc, jsid id)
 {
     StackTypeSet *types = script->analysis()->poppedTypes(pc, 1);
--- a/js/src/ion/TypeOracle.h
+++ b/js/src/ion/TypeOracle.h
@@ -70,17 +70,17 @@ class TypeOracle
                                                 jsid id, bool *canSpecialize) {
         *canSpecialize = true;
         return NULL;
     }
     virtual types::StackTypeSet *returnTypeSet(JSScript *script, jsbytecode *pc, types::StackTypeSet **barrier) {
         *barrier = NULL;
         return NULL;
     }
-    virtual bool inObjectIsDenseArray(JSScript *script, jsbytecode *pc) {
+    virtual bool inObjectIsDenseArray(HandleScript script, jsbytecode *pc) {
         return false;
     }
     virtual bool inArrayIsPacked(JSScript *script, jsbytecode *pc) {
         return false;
     }
     virtual bool elementReadIsDenseArray(JSScript *script, jsbytecode *pc) {
         return false;
     }
@@ -95,26 +95,26 @@ class TypeOracle
     }
     virtual void elementReadGeneric(JSScript *script, jsbytecode *pc, bool *cacheable, bool *monitorResult) {
         *cacheable = false;
         *monitorResult = true;
     }
     virtual bool setElementHasWrittenHoles(JSScript *script, jsbytecode *pc) {
         return true;
     }
-    virtual bool elementWriteIsDenseArray(JSScript *script, jsbytecode *pc) {
+    virtual bool elementWriteIsDenseArray(HandleScript script, jsbytecode *pc) {
         return false;
     }
     virtual bool elementWriteIsTypedArray(JSScript *script, jsbytecode *pc, int *arrayType) {
         return false;
     }
     virtual bool elementWriteIsPacked(JSScript *script, jsbytecode *pc) {
         return false;
     }
-    virtual bool propertyWriteCanSpecialize(JSScript *script, jsbytecode *pc) {
+    virtual bool propertyWriteCanSpecialize(UnrootedScript script, jsbytecode *pc) {
         return true;
     }
     virtual bool propertyWriteNeedsBarrier(JSScript *script, jsbytecode *pc, jsid id) {
         return true;
     }
     virtual bool elementWriteNeedsBarrier(JSScript *script, jsbytecode *pc) {
         return true;
     }
@@ -222,28 +222,28 @@ class TypeInferenceOracle : public TypeO
     types::StackTypeSet *propertyReadBarrier(JSScript *script, jsbytecode *pc);
     bool propertyReadIdempotent(JSScript *script, jsbytecode *pc, HandleId id);
     bool propertyReadAccessGetter(JSScript *script, jsbytecode *pc);
     types::HeapTypeSet *globalPropertyWrite(JSScript *script, jsbytecode *pc, jsid id, bool *canSpecialize);
     types::StackTypeSet *returnTypeSet(JSScript *script, jsbytecode *pc, types::StackTypeSet **barrier);
     types::StackTypeSet *getCallTarget(JSScript *caller, uint32_t argc, jsbytecode *pc);
     types::StackTypeSet *getCallArg(JSScript *caller, uint32_t argc, uint32_t arg, jsbytecode *pc);
     types::StackTypeSet *getCallReturn(JSScript *caller, jsbytecode *pc);
-    bool inObjectIsDenseArray(JSScript *script, jsbytecode *pc);
+    bool inObjectIsDenseArray(HandleScript script, jsbytecode *pc);
     bool inArrayIsPacked(JSScript *script, jsbytecode *pc);
     bool elementReadIsDenseArray(JSScript *script, jsbytecode *pc);
     bool elementReadIsTypedArray(JSScript *script, jsbytecode *pc, int *atype);
     bool elementReadIsString(JSScript *script, jsbytecode *pc);
     bool elementReadIsPacked(JSScript *script, jsbytecode *pc);
     void elementReadGeneric(JSScript *script, jsbytecode *pc, bool *cacheable, bool *monitorResult);
-    bool elementWriteIsDenseArray(JSScript *script, jsbytecode *pc);
+    bool elementWriteIsDenseArray(HandleScript script, jsbytecode *pc);
     bool elementWriteIsTypedArray(JSScript *script, jsbytecode *pc, int *arrayType);
     bool elementWriteIsPacked(JSScript *script, jsbytecode *pc);
     bool setElementHasWrittenHoles(JSScript *script, jsbytecode *pc);
-    bool propertyWriteCanSpecialize(JSScript *script, jsbytecode *pc);
+    bool propertyWriteCanSpecialize(UnrootedScript script, jsbytecode *pc);
     bool propertyWriteNeedsBarrier(JSScript *script, jsbytecode *pc, jsid id);
     bool elementWriteNeedsBarrier(JSScript *script, jsbytecode *pc);
     MIRType elementWrite(JSScript *script, jsbytecode *pc);
     bool arrayPrototypeHasIndexedProperty();
     bool canInlineCalls();
     bool canInlineCall(JSScript *caller, jsbytecode *pc);
     bool canEnterInlinedFunction(JSFunction *callee);
     types::StackTypeSet *aliasedVarBarrier(JSScript *script, jsbytecode *pc, types::StackTypeSet **barrier);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-821551.js
@@ -0,0 +1,16 @@
+function g() {
+    z = newGlobal('');
+    return function(code) {
+        evalcx(code, z)
+    }
+}
+f = g();
+f("\
+    options('strict_mode');\
+    for (var x = 0; x < 1; ++x) {\
+        a = x;\
+    }\
+    options('strict_mode');\
+");
+f("a in eval");
+