Bug 1143216 - Do not replace recovered on bailout instructions with effective addresses equivalent. r=sunfish
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Fri, 27 Mar 2015 19:47:49 +0100
changeset 266568 04f99f21d1f2bccbde2fe1548578a8f50457ff2e
parent 266567 8dc24100ee368c3fa1042723d865233768ab81e7
child 266569 8db04357fe91564a39b370e9ba8b3dce8544924e
push id830
push userraliiev@mozilla.com
push dateFri, 19 Jun 2015 19:24:37 +0000
treeherdermozilla-release@932614382a68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssunfish
bugs1143216
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1143216 - Do not replace recovered on bailout instructions with effective addresses equivalent. r=sunfish
js/src/jit-test/tests/ion/bug1143216.js
js/src/jit/EffectiveAddressAnalysis.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1143216.js
@@ -0,0 +1,17 @@
+// Note: This test produces a link error which is required to reproduce the
+// original issue.
+m = (function(stdlib, n, heap) {
+    "use asm"
+    var Float64ArrayView = new stdlib.Float64Array(heap)
+    var Int16ArrayView = new stdlib.Int16Array(heap)
+    function f(i0) {
+        i0 = i0 | 0
+        i0 = i0 | 0
+        Int16ArrayView[0] = (i0 << 0) + i0
+        Float64ArrayView[0]
+    }
+    return f
+})(this, {}, Array)
+for (var j = 0; j < 9; j++) {
+    m()
+}
--- a/js/src/jit/EffectiveAddressAnalysis.cpp
+++ b/js/src/jit/EffectiveAddressAnalysis.cpp
@@ -12,16 +12,19 @@ using namespace js;
 using namespace jit;
 
 static void
 AnalyzeLsh(TempAllocator &alloc, MLsh *lsh)
 {
     if (lsh->specialization() != MIRType_Int32)
         return;
 
+    if (lsh->isRecoveredOnBailout())
+        return;
+
     MDefinition *index = lsh->lhs();
     MOZ_ASSERT(index->type() == MIRType_Int32);
 
     MDefinition *shift = lsh->rhs();
     if (!shift->isConstantValue())
         return;
 
     Value shiftValue = shift->constantValue();
@@ -51,44 +54,52 @@ AnalyzeLsh(TempAllocator &alloc, MLsh *l
             displacement += other->constantValue().toInt32();
         } else {
             if (base)
                 break;
             base = other;
         }
 
         last = add;
+        if (last->isRecoveredOnBailout())
+            return;
     }
 
     if (!base) {
         uint32_t elemSize = 1 << ScaleToShift(scale);
         if (displacement % elemSize != 0)
             return;
 
         if (!last->hasOneUse())
             return;
 
         MUseIterator use = last->usesBegin();
         if (!use->consumer()->isDefinition() || !use->consumer()->toDefinition()->isBitAnd())
             return;
 
         MBitAnd *bitAnd = use->consumer()->toDefinition()->toBitAnd();
+        if (bitAnd->isRecoveredOnBailout())
+            return;
+
         MDefinition *other = bitAnd->getOperand(1 - bitAnd->indexOf(*use));
         if (!other->isConstantValue() || !other->constantValue().isInt32())
             return;
 
         uint32_t bitsClearedByShift = elemSize - 1;
         uint32_t bitsClearedByMask = ~uint32_t(other->constantValue().toInt32());
         if ((bitsClearedByShift & bitsClearedByMask) != bitsClearedByMask)
             return;
 
         bitAnd->replaceAllUsesWith(last);
         return;
     }
 
+    if (base->isRecoveredOnBailout())
+        return;
+
     MEffectiveAddress *eaddr = MEffectiveAddress::New(alloc, base, index, scale, displacement);
     last->replaceAllUsesWith(eaddr);
     last->block()->insertAfter(last, eaddr);
 }
 
 template<typename MAsmJSHeapAccessType>
 static void
 AnalyzeAsmHeapAccess(MAsmJSHeapAccessType *ins, MIRGraph &graph)