Bug 1222905 - Fix some issues related to Ion's AddSlot IC code. r=bhackett, a=ritu
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 17 Nov 2015 09:47:10 +0100
changeset 305559 31f2dd2a0ec9ef83222daba09d4364490d2a05f4
parent 305558 2e6d20d6dba3f2c46f24bc648f29f630c808ee03
child 305560 f0282ad221a3bf1aa2d137daa4650ec3ee0e6c1b
push id1001
push userraliiev@mozilla.com
push dateMon, 18 Jan 2016 19:06:03 +0000
treeherdermozilla-release@8b89261f3ac4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett, ritu
bugs1222905
milestone44.0a2
Bug 1222905 - Fix some issues related to Ion's AddSlot IC code. r=bhackett, a=ritu
js/src/jit-test/tests/ion/bug1222905.js
js/src/jit/IonCaches.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1222905.js
@@ -0,0 +1,14 @@
+for (var i = 0; i < 90; ++i) {
+    y = {x: 1};
+}
+
+Object.defineProperty(Object.prototype, "zz", {set: (v) => 1 });
+
+function f() {
+    for (var i=0; i<1500; i++) {
+        y[0] = 0;
+        if (i > 1400)
+            y.zz = 3;
+    }
+}
+f();
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@@ -2062,22 +2062,26 @@ ValueToNameOrSymbolId(JSContext* cx, Han
     *nameOrSymbol = false;
 
     if (!idval.isString() && !idval.isSymbol())
         return true;
 
     if (!ValueToId<CanGC>(cx, idval, id))
         return false;
 
-    if (!JSID_IS_STRING(id) && !JSID_IS_SYMBOL(id))
+    if (!JSID_IS_STRING(id) && !JSID_IS_SYMBOL(id)) {
+        id.set(JSID_VOID);
         return true;
+    }
 
     uint32_t dummy;
-    if (JSID_IS_STRING(id) && JSID_TO_ATOM(id)->isIndex(&dummy))
+    if (JSID_IS_STRING(id) && JSID_TO_ATOM(id)->isIndex(&dummy)) {
+        id.set(JSID_VOID);
         return true;
+    }
 
     *nameOrSymbol = true;
     return true;
 }
 
 bool
 GetPropertyIC::tryAttachStub(JSContext* cx, HandleScript outerScript, IonScript* ion,
                              HandleObject obj, HandleValue idval, bool* emitted)
@@ -3353,17 +3357,17 @@ CanAttachAddUnboxedExpando(JSContext* cx
     if (!obj->is<UnboxedPlainObject>())
         return false;
 
     Rooted<UnboxedExpandoObject*> expando(cx, obj->as<UnboxedPlainObject>().maybeExpando());
     if (!expando || expando->inDictionaryMode())
         return false;
 
     Shape* newShape = expando->lastProperty();
-    if (newShape->propid() != id || newShape->previous() != oldShape)
+    if (newShape->isEmptyShape() || newShape->propid() != id || newShape->previous() != oldShape)
         return false;
 
     MOZ_ASSERT(newShape->hasDefaultSetter() && newShape->hasSlot() && newShape->writable());
 
     if (PrototypeChainShadowsPropertyAdd(cx, obj, id))
         return false;
 
     if (needsTypeBarrier && !CanInlineSetPropTypeCheck(obj, id, val, checkTypeset))
@@ -3548,16 +3552,19 @@ SetPropertyIC::tryAttachAddSlot(JSContex
                                 HandleObject obj, HandleId id, HandleObjectGroup oldGroup,
                                 HandleShape oldShape, bool tryNativeAddSlot, bool* emitted)
 {
     MOZ_ASSERT(!*emitted);
 
     if (!canAttachStub())
         return true;
 
+    if (!JSID_IS_STRING(id) && !JSID_IS_SYMBOL(id))
+        return true;
+
     // A GC may have caused cache.value() to become stale as it is not traced.
     // In this case the IonScript will have been invalidated, so check for that.
     // Assert no further GC is possible past this point.
     JS::AutoAssertNoAlloc nogc;
     if (ion->invalidated())
         return true;
 
     // The property did not exist before, now we can try to inline the property add.