Account for ObjectElements header when inlining JSOP_NEWINIT, bug 693971.
authorBrian Hackett <bhackett1024@gmail.com>
Thu, 13 Oct 2011 09:18:45 -0700
changeset 82895 ae061e27e3df3015a87f2eef1bfc7f72712941ec
parent 82894 eaefd8a21120d47d7f6f437c4a0acfd1afa922af
child 82896 04d4b9920e443e496b377b2d828db8b9777ce485
push id519
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 00:38:35 +0000
treeherdermozilla-beta@788ea1ef610b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs693971
milestone10.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Account for ObjectElements header when inlining JSOP_NEWINIT, bug 693971.
js/src/methodjit/Compiler.cpp
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -6439,19 +6439,21 @@ mjit::Compiler::jsop_newinit()
     types::TypeObject *type = NULL;
     if (globalObj) {
         type = types::TypeScript::InitObject(cx, script, PC,
                                              isArray ? JSProto_Array : JSProto_Object);
         if (!type)
             return false;
     }
 
+    JS_STATIC_ASSERT(sizeof(ObjectElements) == 2 * sizeof(js::Value));
+
     if (!cx->typeInferenceEnabled() ||
         !globalObj ||
-        (isArray && count >= gc::GetGCKindSlots(gc::FINALIZE_OBJECT_LAST)) ||
+        (isArray && count > gc::GetGCKindSlots(gc::FINALIZE_OBJECT_LAST) - 2) ||
         (!isArray && !baseobj) ||
         (!isArray && baseobj->hasDynamicSlots())) {
         prepareStubCall(Uses(0));
         masm.storePtr(ImmPtr(type), FrameAddress(offsetof(VMFrame, scratch)));
         masm.move(ImmPtr(stubArg), Registers::ArgReg1);
         INLINE_STUBCALL(stub, REJOIN_FALLTHROUGH);
         frame.pushSynced(JSVAL_TYPE_OBJECT);