[INFER] Don't optimize LENGTH and PROP accesses on known non-objects, bug 650662.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 18 Apr 2011 22:08:34 -0700
changeset 75725 cd01ef66dac7d92617759626fc557b2946596f06
parent 75724 425b3fcdbe412156836a4a4eb360a9132a46e238
child 75726 f60bb600974bf7925d9902f7cb9e63b99ea5ca4d
push id235
push userbzbarsky@mozilla.com
push dateTue, 27 Sep 2011 17:13:04 +0000
treeherdermozilla-beta@2d1e082d176a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs650662
milestone6.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
[INFER] Don't optimize LENGTH and PROP accesses on known non-objects, bug 650662.
js/src/jit-test/tests/jaeger/bug650662.js
js/src/methodjit/Compiler.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug650662.js
@@ -0,0 +1,6 @@
+test();
+function test() {
+  var a = [];
+  a*=3;
+  a.length;
+}
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -4373,17 +4373,18 @@ mjit::Compiler::jsop_length()
 
     /*
      * Check if we are accessing the 'length' property of a known dense array.
      * Note that if the types are known to indicate dense arrays, their lengths
      * must fit in an int32.
      */
     types::TypeSet *types = frame.extra(top).types;
     types::ObjectKind kind = types ? types->getKnownObjectKind(cx) : types::OBJECT_UNKNOWN;
-    if ((kind == types::OBJECT_DENSE_ARRAY || kind == types::OBJECT_PACKED_ARRAY)) {
+    if ((kind == types::OBJECT_DENSE_ARRAY || kind == types::OBJECT_PACKED_ARRAY) &&
+        !top->isNotType(JSVAL_TYPE_OBJECT)) {
         bool isObject = top->isTypeKnown();
         if (!isObject) {
             Jump notObject = frame.testObject(Assembler::NotEqual, top);
             stubcc.linkExit(notObject, Uses(1));
             stubcc.leave();
             OOL_STUBCALL(stubs::Length);
         }
         RegisterID reg = frame.tempRegForData(top);
@@ -4439,17 +4440,19 @@ mjit::Compiler::jsop_getprop(JSAtom *ato
 
     /*
      * Check if we are accessing a known type which always has the property
      * in a particular inline slot. Get the property directly in this case,
      * without using an IC.
      */
     JSOp op = JSOp(*PC);
     types::TypeSet *types = frame.extra(top).types;
-    if ((op == JSOP_GETPROP || op == JSOP_GETTHISPROP || op == JSOP_GETARGPROP || op == JSOP_GETLOCALPROP) &&
+    if ((op == JSOP_GETPROP || op == JSOP_GETTHISPROP ||
+         op == JSOP_GETARGPROP || op == JSOP_GETLOCALPROP) &&
+        !top->isNotType(JSVAL_TYPE_OBJECT) &&
         types && !types->unknown() && types->getObjectCount() == 1 &&
         !types->getObject(0)->unknownProperties()) {
         JS_ASSERT(usePropCache);
         types::TypeObject *object = types->getObject(0);
         types::TypeSet *propertyTypes = object->getProperty(cx, ATOM_TO_JSID(atom), false);
         if (!propertyTypes)
             return false;
         if (propertyTypes->isDefiniteProperty() && !propertyTypes->isOwnProperty(cx, true)) {
@@ -4992,18 +4995,18 @@ mjit::Compiler::jsop_setprop(JSAtom *ato
         return true;
     }
 
     /*
      * Set the property directly if we are accessing a known object which
      * always has the property in a particular inline slot.
      */
     types::TypeSet *types = frame.extra(lhs).types;
-    if (JSOp(*PC) == JSOP_SETPROP && types &&
-        !types->unknown() && types->getObjectCount() == 1 &&
+    if (JSOp(*PC) == JSOP_SETPROP && !lhs->isNotType(JSVAL_TYPE_OBJECT) &&
+        types && !types->unknown() && types->getObjectCount() == 1 &&
         !types->getObject(0)->unknownProperties()) {
         JS_ASSERT(usePropCache);
         types::TypeObject *object = types->getObject(0);
         types::TypeSet *propertyTypes = object->getProperty(cx, ATOM_TO_JSID(atom), false);
         if (!propertyTypes)
             return false;
         if (propertyTypes->isDefiniteProperty() && !propertyTypes->isOwnProperty(cx, true)) {
             types->addFreeze(cx);