Bug 1509482: Add EnsureBallast calls r=nbp
authorIain Ireland <iireland@mozilla.com>
Tue, 27 Nov 2018 10:36:18 +0000
changeset 504702 f58c9289f62e89f87c1899b9b7b89dda191d740a
parent 504701 ce0cebad842b1fc3c14b552dccaa59dc9ec8dd09
child 504703 8be20508c9d5577ec80c7e181fae203a7f736bc1
push id10290
push userffxbld-merge
push dateMon, 03 Dec 2018 16:23:23 +0000
treeherdermozilla-beta@700bed2445e6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs1509482
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509482: Add EnsureBallast calls r=nbp Differential Revision: https://phabricator.services.mozilla.com/D12954
js/src/jit-test/tests/ion/bug1509482.js
js/src/jit/IonBuilder.cpp
js/src/vm/TypeInference.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1509482.js
@@ -0,0 +1,18 @@
+let singleton = {x: 1};
+
+let holder = {sing_prop: singleton}
+
+function makeChain(n, base) {
+    var curr = base;
+    for (var i = 0; i < n; i++) {
+	curr = Object.create(curr);
+    }
+    return curr;
+}
+let chain = makeChain(1000, holder);
+
+var x = 0;
+for (var i = 0; i < 1111; i++) {
+    x += chain.sing_prop.x;
+    singleton.x = -singleton.x // Don't want it to be a constant.
+}
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -7472,16 +7472,20 @@ IonBuilder::testSingletonProperty(JSObje
     // If the access definitely goes through obj, either directly or on the
     // prototype chain, and the object has singleton type, then the type
     // information for that property reflects the value that will definitely be
     // read on accesses to the object. If the property is later deleted or
     // reconfigured as a getter/setter then the type information for the
     // property will change and trigger invalidation.
 
     while (obj) {
+        if (!alloc().ensureBallast()) {
+            return nullptr;
+        }
+
         if (!ClassHasEffectlessLookup(obj->getClass())) {
             return nullptr;
         }
 
         TypeSet::ObjectKey* objKey = TypeSet::ObjectKey::get(obj);
         if (analysisContext) {
             objKey->ensureTrackedProperty(analysisContext, id);
         }
@@ -7557,16 +7561,21 @@ IonBuilder::testSingletonPropertyTypes(M
         // find a prototype common to all the objects; if that prototype
         // has the singleton property, the access will not be on a missing property.
         JSObject* singleton = nullptr;
         for (unsigned i = 0; i < types->getObjectCount(); i++) {
             TypeSet::ObjectKey* key = types->getObject(i);
             if (!key) {
                 continue;
             }
+
+            if (!alloc().ensureBallast()) {
+                return nullptr;
+            }
+
             if (analysisContext) {
                 key->ensureTrackedProperty(analysisContext, id);
             }
 
             const Class* clasp = key->clasp();
             if (!ClassHasEffectlessLookup(clasp) || ObjectHasExtraOwnProperty(realm, key, id)) {
                 return nullptr;
             }
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -1783,16 +1783,17 @@ class ConstraintDataFreeze
 };
 
 } /* anonymous namespace */
 
 void
 HeapTypeSetKey::freeze(CompilerConstraintList* constraints)
 {
     LifoAlloc* alloc = constraints->alloc();
+    LifoAlloc::AutoFallibleScope fallibleAllocator(alloc);
 
     typedef CompilerConstraintInstance<ConstraintDataFreeze> T;
     constraints->add(alloc->new_<T>(alloc, *this, ConstraintDataFreeze()));
 }
 
 static inline jit::MIRType
 GetMIRTypeFromTypeFlags(TypeFlags flags)
 {