Bug 1538006 - Don't emit unbarriered writes to an object if its group might change. r=tcampbell, a=dveditz DEVEDITION_67_0b4_BUILD2 DEVEDITION_67_0b4_RELEASE FENNEC_67_0b4_BUILD1 FENNEC_67_0b4_RELEASE FIREFOX_67_0b4_BUILD2 FIREFOX_67_0b4_RELEASE
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 21 Mar 2019 22:47:55 +0000
changeset 525667 77536919b1210dcee2e3d72416108210bd9a10c8
parent 525666 5aa32b11aaac804cd226e5a00f071f1d5f621ba0
child 525668 1e06def4d7680044f62c62abd20eb83519116192
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell, dveditz
bugs1538006
milestone67.0
Bug 1538006 - Don't emit unbarriered writes to an object if its group might change. r=tcampbell, a=dveditz Differential Revision: https://phabricator.services.mozilla.com/D24448
js/src/jit/MIR.cpp
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -6298,20 +6298,24 @@ bool jit::PropertyWriteNeedsTypeBarrier(
   // If all of the objects being written to have property types which already
   // reflect the value, no barrier at all is needed. Additionally, if all
   // objects being written to have the same types for the property, and those
   // types do *not* reflect the value, add a type barrier for the value.
 
   bool success = true;
   for (size_t i = 0; i < types->getObjectCount(); i++) {
     TypeSet::ObjectKey* key = types->getObject(i);
-    if (!key || key->unknownProperties()) {
+    if (!key) {
       continue;
     }
 
+    if (!key->hasStableClassAndProto(constraints)) {
+      return true;
+    }
+
     // TI doesn't track TypedArray indexes and should never insert a type
     // barrier for them.
     if (!name && IsTypedArrayClass(key->clasp())) {
       continue;
     }
 
     jsid id = name ? NameToId(name) : JSID_VOID;
     HeapTypeSetKey property = key->property(id);
@@ -6358,19 +6362,24 @@ bool jit::PropertyWriteNeedsTypeBarrier(
 
   if (types->getObjectCount() <= 1) {
     return true;
   }
 
   TypeSet::ObjectKey* excluded = nullptr;
   for (size_t i = 0; i < types->getObjectCount(); i++) {
     TypeSet::ObjectKey* key = types->getObject(i);
-    if (!key || key->unknownProperties()) {
+    if (!key) {
       continue;
     }
+
+    if (!key->hasStableClassAndProto(constraints)) {
+      return true;
+    }
+
     if (!name && IsTypedArrayClass(key->clasp())) {
       continue;
     }
 
     jsid id = name ? NameToId(name) : JSID_VOID;
     HeapTypeSetKey property = key->property(id);
     if (CanWriteProperty(alloc, constraints, property, *pvalue, implicitType)) {
       continue;