Bug 1516560. Stop trying to do DOM proxy caching for DOM proxies with dynamic prototypes. r=jandem
authorBoris Zbarsky <bzbarsky@mit.edu>
Mon, 31 Dec 2018 16:16:00 +0000
changeset 509347 fda9de78ff7f1836278a7bd4b2581940883afb84
parent 509346 0def5ac36b5bf1f7f70bd84d3398dfb64d853ba8
child 509352 5826b2352ac08248205d3b0e29587ab8ad415bfe
push id10547
push userffxbld-merge
push dateMon, 21 Jan 2019 13:03:58 +0000
treeherdermozilla-beta@24ec1916bffe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1516560
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1516560. Stop trying to do DOM proxy caching for DOM proxies with dynamic prototypes. r=jandem This only affects Location. Differential Revision: https://phabricator.services.mozilla.com/D15422
dom/base/crashtests/1516560.html
dom/base/crashtests/crashtests.list
js/src/jit/BaselineIC.h
new file mode 100644
--- /dev/null
+++ b/dom/base/crashtests/1516560.html
@@ -0,0 +1,3 @@
+<script>
+  for (var i = 0; i < 10000; ++i) location.noSuchProp;
+</script>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -241,8 +241,9 @@ load 1441029.html
 load 1449601.html
 load 1445670.html
 load 1458016.html
 load 1459688.html
 load 1460794.html
 load 1505875.html
 load 1505811.html
 load 1508845.html
+load 1516560.html
--- a/js/src/jit/BaselineIC.h
+++ b/js/src/jit/BaselineIC.h
@@ -2779,17 +2779,23 @@ class ICNewObject_Fallback : public ICFa
 };
 
 inline bool IsCacheableDOMProxy(JSObject* obj) {
   if (!obj->is<ProxyObject>()) {
     return false;
   }
 
   const BaseProxyHandler* handler = obj->as<ProxyObject>().handler();
-  return handler->family() == GetDOMProxyHandlerFamily();
+  if (handler->family() != GetDOMProxyHandlerFamily()) {
+    return false;
+  }
+
+  // Some DOM proxies have dynamic prototypes.  We can't really cache those very
+  // well.
+  return obj->hasStaticPrototype();
 }
 
 struct IonOsrTempData;
 
 template <typename T>
 void EmitICUnboxedPreBarrier(MacroAssembler& masm, const T& address,
                              JSValueType type);