mozilla-esr78: changeset 600185:f8c30263d78e8e81b20e5f59ef0cbfeabe17f6b6

--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -5205,41 +5205,28 @@ AbortReasonOr<MInstruction*> IonBuilder:
 MDefinition* IonBuilder::createThisScripted(MDefinition* callee,
                                             MDefinition* newTarget) {
   // Get callee.prototype.
   //
   // This instruction MUST be idempotent: since it does not correspond to an
   // explicit operation in the bytecode, we cannot use resumeAfter().
   // Getters may not override |prototype| fetching, so this operation is
   // indeed idempotent.
-  // - First try an idempotent property cache.
-  // - Upon failing idempotent property cache, we can't use a non-idempotent
-  //   cache, therefore we fallback to CallGetProperty
   //
-  // Note: both CallGetProperty and GetPropertyCache can trigger a GC,
-  //       and thus invalidation.
-  MInstruction* getProto;
-  if (!invalidatedIdempotentCache()) {
-    MConstant* id = constant(StringValue(names().prototype));
-    MGetPropertyCache* getPropCache =
-        MGetPropertyCache::New(alloc(), newTarget, id,
-                               /* monitored = */ false);
-    getPropCache->setIdempotent();
-    getProto = getPropCache;
-  } else {
-    MCallGetProperty* callGetProp =
-        MCallGetProperty::New(alloc(), newTarget, names().prototype);
-    callGetProp->setIdempotent();
-    getProto = callGetProp;
-  }
-  current->add(getProto);
+  // Note: GetPropertyCache can trigger a GC, and thus invalidation.
+  MConstant* id = constant(StringValue(names().prototype));
+  MGetPropertyCache* getPropCache =
+      MGetPropertyCache::New(alloc(), newTarget, id,
+                              /* monitored = */ false);
+  getPropCache->setIdempotent();
+  current->add(getPropCache);
 
   // Create this from prototype
   MCreateThisWithProto* createThis =
-      MCreateThisWithProto::New(alloc(), callee, newTarget, getProto);
+      MCreateThisWithProto::New(alloc(), callee, newTarget, getPropCache);
   current->add(createThis);
 
   return createThis;
 }
 
 JSObject* IonBuilder::getSingletonPrototype(JSFunction* target) {
   TypeSet::ObjectKey* targetKey = TypeSet::ObjectKey::get(target);
   if (targetKey->unknownProperties()) {

--- a/js/src/jit/IonIC.cpp
+++ b/js/src/jit/IonIC.cpp
@@ -210,16 +210,25 @@ bool IonGetPropertyIC::update(JSContext*
 
     outerScript->setInvalidatedIdempotentCache();
 
     // Do not re-invalidate if the lookup already caused invalidation.
     if (outerScript->hasIonScript()) {
       Invalidate(cx, outerScript);
     }
 
+    // IonBuilder::createScriptedThis does not use InvalidedIdempotentCache
+    // flag so prevent bailout-loop by disabling Ion for the script.
+    MOZ_ASSERT(ic->kind() == CacheKind::GetProp);
+    if (idVal.toString()->asAtom().asPropertyName() == cx->names().prototype) {
+      if (val.isObject() && val.toObject().is<JSFunction>()) {
+        outerScript->disableIon();
+      }
+    }
+
     // We will redo the potentially effectful lookup in Baseline.
     return true;
   }
 
   if (ic->kind() == CacheKind::GetProp) {
     RootedPropertyName name(cx, idVal.toString()->asAtom().asPropertyName());
     if (!GetProperty(cx, val, name, res)) {
       return false;

author	Ted Campbell <tcampbell@mozilla.com>
	Sat, 07 Nov 2020 05:36:31 +0000
changeset 600185	f8c30263d78e8e81b20e5f59ef0cbfeabe17f6b6
parent 600180	0ea9c4f8619df6b325b7054b91e1c866ca731386
child 600186	c3756fa3a2a5d2066cfa09a2cf0b8f4c5e5f9a92
push id	120
push user	ryanvm@gmail.com
push date	Sun, 08 Nov 2020 18:26:43 +0000
treeherder	mozilla-esr78@f8c30263d78e [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	jandem, iain, RyanVM
bugs	1675905
milestone	78.5.0

js/src/jit/IonBuilder.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/jit/IonIC.cpp		file \| annotate \| diff \| comparison \| revisions