Bug 1538006 - Don't emit unbarriered writes to an object if its group might change. r=tcampbell, a=dveditz FENNEC_66_0_1_BUILD1 FENNEC_66_0_1_RELEASE FIREFOX_66_0_1_BUILD1 FIREFOX_66_0_1_RELEASE
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 21 Mar 2019 22:47:55 +0000
changeset 516392 662e97c691037298df2971fea3def0bb19fe3f93
parent 516391 eebf74de1376d74e42b78351b00cee6d3293f92d
child 516393 20e58e7941887cbaff44285d3e72cf46cf6aff6d
child 516394 5045eb8aee03080e3297766e1f47b62367cc37a2
push id1979
push userryanvm@gmail.com
push dateFri, 22 Mar 2019 01:31:40 +0000
treeherdermozilla-release@662e97c69103 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell, dveditz
bugs1538006
milestone66.0.1
Bug 1538006 - Don't emit unbarriered writes to an object if its group might change. r=tcampbell, a=dveditz Differential Revision: https://phabricator.services.mozilla.com/D24448
js/src/jit/MIR.cpp
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -6285,20 +6285,24 @@ bool jit::PropertyWriteNeedsTypeBarrier(
   // If all of the objects being written to have property types which already
   // reflect the value, no barrier at all is needed. Additionally, if all
   // objects being written to have the same types for the property, and those
   // types do *not* reflect the value, add a type barrier for the value.
 
   bool success = true;
   for (size_t i = 0; i < types->getObjectCount(); i++) {
     TypeSet::ObjectKey* key = types->getObject(i);
-    if (!key || key->unknownProperties()) {
+    if (!key) {
       continue;
     }
 
+    if (!key->hasStableClassAndProto(constraints)) {
+      return true;
+    }
+
     // TI doesn't track TypedArray indexes and should never insert a type
     // barrier for them.
     if (!name && IsTypedArrayClass(key->clasp())) {
       continue;
     }
 
     jsid id = name ? NameToId(name) : JSID_VOID;
     HeapTypeSetKey property = key->property(id);
@@ -6345,19 +6349,24 @@ bool jit::PropertyWriteNeedsTypeBarrier(
 
   if (types->getObjectCount() <= 1) {
     return true;
   }
 
   TypeSet::ObjectKey* excluded = nullptr;
   for (size_t i = 0; i < types->getObjectCount(); i++) {
     TypeSet::ObjectKey* key = types->getObject(i);
-    if (!key || key->unknownProperties()) {
+    if (!key) {
       continue;
     }
+
+    if (!key->hasStableClassAndProto(constraints)) {
+      return true;
+    }
+
     if (!name && IsTypedArrayClass(key->clasp())) {
       continue;
     }
 
     jsid id = name ? NameToId(name) : JSID_VOID;
     HeapTypeSetKey property = key->property(id);
     if (CanWriteProperty(alloc, constraints, property, *pvalue, implicitType)) {
       continue;