Bug 1100202 - Avoid downcasting callable objects to functions during polymorphic inlining, r=jandem.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 18 Nov 2014 09:24:30 -0700
changeset 240621 9b395e34931cc30dc758b95bc027bb95252aadca
parent 240620 1608ca65d899951b980be5a86f9073546ff6bad2
child 240622 d1469442b5f79bbb5d86d99b951af8987aef0050
push id4311
push userraliiev@mozilla.com
push dateMon, 12 Jan 2015 19:37:41 +0000
treeherdermozilla-beta@150c9fed433b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1100202
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1100202 - Avoid downcasting callable objects to functions during polymorphic inlining, r=jandem.
js/src/jit-test/tests/TypedObject/bug1100202.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/TypedObject/bug1100202.js
@@ -0,0 +1,15 @@
+if (typeof TypedObject === "undefined")
+  quit();
+
+(function() {
+    Object
+})()
+var {
+    Object
+} = TypedObject
+function f() {
+    Object(Symbol)
+}
+for (var i = 0; i < 1; i++) {
+    f()
+}
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -4965,26 +4965,26 @@ IonBuilder::inlineCalls(CallInfo &callIn
     // specialized to the type objects which can generate that inlining target.
     // After inlining the original type set is restored.
     types::TemporaryTypeSet *cacheObjectTypeSet =
         maybeCache ? maybeCache->object()->resultTypeSet() : nullptr;
 
     // Inline each of the inlineable targets.
     MOZ_ASSERT(targets.length() == originals.length());
     for (uint32_t i = 0; i < targets.length(); i++) {
+        // Target must be inlineable.
+        if (!choiceSet[i])
+            continue;
+
         // When original != target, the target is a callsite clone. The
         // original should be used for guards, and the target should be the
         // actual function inlined.
         JSFunction *original = &originals[i]->as<JSFunction>();
         JSFunction *target = &targets[i]->as<JSFunction>();
 
-        // Target must be inlineable.
-        if (!choiceSet[i])
-            continue;
-
         // Target must be reachable by the MDispatchInstruction.
         if (maybeCache && !maybeCache->propTable()->hasFunction(original)) {
             choiceSet[i] = false;
             continue;
         }
 
         MBasicBlock *inlineBlock = newBlock(dispatchBlock, pc);
         if (!inlineBlock)