Bug 1134074 - IonBuilder: Atomize strings when inlining String.split. r=djvj
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Fri, 27 Mar 2015 17:40:57 +0100
changeset 264984 d4cac14b98af3efdf85462617c404a828cb65865
parent 264983 2d59ec36a2e48587ac39d066122695df612575fc
child 264985 76f46106d07efc487dea8aa41a75d8b13bced72b
push id4718
push userraliiev@mozilla.com
push dateMon, 11 May 2015 18:39:53 +0000
treeherdermozilla-beta@c20c4ef55f08 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdjvj
bugs1134074
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1134074 - IonBuilder: Atomize strings when inlining String.split. r=djvj
js/src/jit-test/tests/ion/bug1134074.js
js/src/jit/MCallOptimize.cpp
js/src/jit/MIR.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1134074.js
@@ -0,0 +1,10 @@
+
+setJitCompilerOption("ion.warmup.trigger", 30);
+function bar(i) {
+  if (i >= 40)
+    return;
+  if ("aaa,bbb,ccc".split(",")[0].length != 3)
+    throw "???";
+  bar(i + 1);
+}
+bar(0);
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -1537,19 +1537,24 @@ IonBuilder::inlineConstantStringSplit(Ca
 
     if (!key.maybeTypes()->hasType(TypeSet::StringType()))
         return InliningStatus_NotInlined;
 
     uint32_t initLength = templateObject->as<ArrayObject>().length();
     if (templateObject->getDenseInitializedLength() != initLength)
         return InliningStatus_NotInlined;
 
+    JSContext *cx = GetJitContext()->cx;
     Vector<MConstant *, 0, SystemAllocPolicy> arrayValues;
     for (uint32_t i = 0; i < initLength; i++) {
-        MConstant *value = MConstant::New(alloc(), templateObject->getDenseElement(i), constraints());
+        JSAtom *str = js::AtomizeString(cx, templateObject->getDenseElement(i).toString());
+        if (!str)
+            return InliningStatus_Error;
+
+        MConstant *value = MConstant::New(alloc(), StringValue(str), constraints());
         if (!TypeSetIncludes(key.maybeTypes(), value->type(), value->resultTypeSet()))
             return InliningStatus_NotInlined;
 
         if (!arrayValues.append(value))
             return InliningStatus_Error;
     }
     callInfo.setImplicitlyUsedUnchecked();
 
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -705,16 +705,18 @@ MConstant::MConstant(const js::Value &vp
         // Ion compilation. Give it an unknown typeset to poison any type sets
         // it merges with.
         //
         // TODO We could track uninitialized lexicals more precisely by tracking
         // them in type sets.
         setResultTypeSet(MakeUnknownTypeSet());
     }
 
+    MOZ_ASSERT_IF(vp.isString(), vp.toString()->isAtom());
+
     setMovable();
 }
 
 MConstant::MConstant(JSObject *obj)
   : value_(ObjectValue(*obj))
 {
     MOZ_ASSERT(!IsInsideNursery(obj));
     setResultType(MIRType_Object);