Bug 1373094 - Fix ICUpdatedStub::addUpdateStubForValue to use the correct group. r=tcampbell a=al
authorJan de Mooij <jdemooij@mozilla.com>
Fri, 07 Jul 2017 14:52:13 +0200
changeset 414213 ebda0666d66ff826c321a3e7ab4d4c4230c06149
parent 414212 e56241dd21aeef0ee1a49835bc15b093a60affbd
child 414214 47395fea9c849e3c1f8aa1056a3d59a72c1b299b
push id1490
push usermtabara@mozilla.com
push dateMon, 31 Jul 2017 14:08:16 +0000
treeherdermozilla-release@70e32e6bf15e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell, al
bugs1373094
milestone55.0
Bug 1373094 - Fix ICUpdatedStub::addUpdateStubForValue to use the correct group. r=tcampbell a=al
js/src/jit/BaselineIC.cpp
js/src/jit/SharedIC.cpp
js/src/jit/SharedIC.h
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -323,17 +323,17 @@ DoTypeUpdateFallback(JSContext* cx, Base
         }
     }
 
     if (MOZ_LIKELY(addType)) {
         JSObject* maybeSingleton = obj->isSingleton() ? obj.get() : nullptr;
         AddTypePropertyId(cx, group, maybeSingleton, id, value);
     }
 
-    if (MOZ_UNLIKELY(!stub->addUpdateStubForValue(cx, script, obj, id, value))) {
+    if (MOZ_UNLIKELY(!stub->addUpdateStubForValue(cx, script, obj, group, id, value))) {
         // The calling JIT code assumes this function is infallible (for
         // instance we may reallocate dynamic slots before calling this),
         // so ignore OOMs if we failed to attach a stub.
         cx->recoverFromOutOfMemory();
     }
 
     return true;
 }
--- a/js/src/jit/SharedIC.cpp
+++ b/js/src/jit/SharedIC.cpp
@@ -2540,30 +2540,32 @@ bool
 ICTypeMonitor_AnyValue::Compiler::generateStubCode(MacroAssembler& masm)
 {
     EmitReturnFromIC(masm);
     return true;
 }
 
 bool
 ICUpdatedStub::addUpdateStubForValue(JSContext* cx, HandleScript outerScript, HandleObject obj,
-                                     HandleId id, HandleValue val)
+                                     HandleObjectGroup group, HandleId id, HandleValue val)
 {
     EnsureTrackPropertyTypes(cx, obj, id);
 
     // Make sure that undefined values are explicitly included in the property
     // types for an object if generating a stub to write an undefined value.
-    if (val.isUndefined() && CanHaveEmptyPropertyTypesForOwnProperty(obj))
+    if (val.isUndefined() && CanHaveEmptyPropertyTypesForOwnProperty(obj)) {
+        MOZ_ASSERT(obj->group() == group);
         AddTypePropertyId(cx, obj, id, val);
+    }
 
     bool unknown = false, unknownObject = false;
-    if (obj->group()->unknownProperties()) {
+    if (group->unknownProperties()) {
         unknown = unknownObject = true;
     } else {
-        if (HeapTypeSet* types = obj->group()->maybeGetProperty(id)) {
+        if (HeapTypeSet* types = group->maybeGetProperty(id)) {
             unknown = types->unknown();
             unknownObject = types->unknownObject();
         } else {
             // We don't record null/undefined types for certain TypedObject
             // properties. In these cases |types| is allowed to be nullptr
             // without implying unknown types. See DoTypeUpdateFallback.
             MOZ_ASSERT(obj->is<TypedObject>());
             MOZ_ASSERT(val.isNullOrUndefined());
--- a/js/src/jit/SharedIC.h
+++ b/js/src/jit/SharedIC.h
@@ -934,17 +934,17 @@ class ICUpdatedStub : public ICStub
         firstUpdateStub_(nullptr),
         numOptimizedStubs_(0)
     {}
 
   public:
     MOZ_MUST_USE bool initUpdatingChain(JSContext* cx, ICStubSpace* space);
 
     MOZ_MUST_USE bool addUpdateStubForValue(JSContext* cx, HandleScript script, HandleObject obj,
-                                            HandleId id, HandleValue val);
+                                            HandleObjectGroup group, HandleId id, HandleValue val);
 
     void addOptimizedUpdateStub(ICStub* stub) {
         if (firstUpdateStub_->isTypeUpdate_Fallback()) {
             stub->setNext(firstUpdateStub_);
             firstUpdateStub_ = stub;
         } else {
             ICStub* iter = firstUpdateStub_;
             MOZ_ASSERT(iter->next() != nullptr);