Bug 857576 - Make sure isOwnProperty() method of the input typeset's single typeobject's property typeset is run before main body of IonBuilder::jsop_getprop method. r=bhackett
authorKannan Vijayan <kvijayan@mozilla.com>
Thu, 04 Apr 2013 11:44:23 -0400
changeset 138617 ede8de979d5cc280b0185f5e0b787771478b0559
parent 138616 cbed4fe28c54ed2dd2bab4c1914cad44bec84597
child 138618 12554c928f609720def90615003c0f04e99086a5
push id2579
push userakeybl@mozilla.com
push dateMon, 24 Jun 2013 18:52:47 +0000
treeherdermozilla-beta@b69b7de8a05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs857576
milestone23.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 857576 - Make sure isOwnProperty() method of the input typeset's single typeobject's property typeset is run before main body of IonBuilder::jsop_getprop method. r=bhackett
js/src/ion/BaselineIC.h
js/src/ion/IonBuilder.cpp
--- a/js/src/ion/BaselineIC.h
+++ b/js/src/ion/BaselineIC.h
@@ -3630,17 +3630,19 @@ class ICGetIntrinsic_Constant : public I
     HeapValue value_;
 
     ICGetIntrinsic_Constant(IonCode *stubCode, HandleValue value)
       : ICStub(GetIntrinsic_Constant, stubCode),
         value_(value)
     {}
 
   public:
-    static inline ICGetIntrinsic_Constant *New(ICStubSpace *space, IonCode *code, HandleValue value) {
+    static inline ICGetIntrinsic_Constant *New(ICStubSpace *space, IonCode *code,
+                                               HandleValue value)
+    {
         if (!code)
             return NULL;
         return space->allocate<ICGetIntrinsic_Constant>(code, value);
     }
 
     HeapValue &value() {
         return value_;
     }
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -6647,16 +6647,21 @@ IonBuilder::storeSlot(MDefinition *obj, 
     return resumeAfter(store);
 }
 
 bool
 IonBuilder::jsop_getprop(HandlePropertyName name)
 {
     RootedId id(cx, NameToId(name));
 
+    // GetDefiniteSlot may cause type information to shift, and it's done inside
+    // getPropTryDefiniteSlot.  Do it here first to ensure that all type info changes
+    // occur before handling the op.
+    GetDefiniteSlot(cx, oracle->unaryTypes(script(), pc).inTypes, name);
+
     RootedScript scriptRoot(cx, script());
     types::StackTypeSet *barrier = oracle->propertyReadBarrier(scriptRoot, pc);
     types::StackTypeSet *types = oracle->propertyRead(script(), pc);
     TypeOracle::Unary unary = oracle->unaryOp(script(), pc);
     TypeOracle::UnaryTypes uTypes = oracle->unaryTypes(script(), pc);
 
     bool emitted = false;