Bug 1548611: Update RNewArray::recover to match CodeGenerator::visitNewArrayCallVM r=jandem
authorIain Ireland <iireland@mozilla.com>
Fri, 10 May 2019 09:59:50 +0000
changeset 535519 fe2f68fe25bcc83b2e0040423f931d9145f08e4a
parent 535518 fbcf6cd744b163f7073d8a6a00d89412b4bba9dc
child 535520 a811c910cfd3527d20556d09fca7dafc4003bc4d
push id2082
push userffxbld-merge
push dateMon, 01 Jul 2019 08:34:18 +0000
treeherdermozilla-release@2fb19d0466d2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1548611
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1548611: Update RNewArray::recover to match CodeGenerator::visitNewArrayCallVM r=jandem Differential Revision: https://phabricator.services.mozilla.com/D30393
js/src/jit-test/tests/realms/bug1548611.js
js/src/jit/CacheIR.cpp
js/src/jit/Recover.cpp
js/src/jit/Recover.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/realms/bug1548611.js
@@ -0,0 +1,5 @@
+const otherGlobal = newGlobal();
+for (var i=0; i<60; i++) {
+    new otherGlobal.Array();
+    bailout();
+}
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -5123,16 +5123,18 @@ AttachDecision CallIRGenerator::tryAttac
     trackAttached("Call any scripted func");
   }
 
   return AttachDecision::Attach;
 }
 
 bool CallIRGenerator::getTemplateObjectForNative(HandleFunction calleeFunc,
                                                  MutableHandleObject res) {
+  AutoRealm ar(cx_, calleeFunc);
+
   // Saving the template object is unsound for super(), as a single
   // callsite can have multiple possible prototype objects created
   // (via different newTargets)
   bool isSuper = op_ == JSOP_SUPERCALL || op_ == JSOP_SPREADSUPERCALL;
   if (isSuper) {
     return true;
   }
 
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -1223,30 +1223,32 @@ bool RNewTypedArray::recover(JSContext* 
   iter.storeInstructionResult(result);
   return true;
 }
 
 bool MNewArray::writeRecoverData(CompactBufferWriter& writer) const {
   MOZ_ASSERT(canRecoverOnBailout());
   writer.writeUnsigned(uint32_t(RInstruction::Recover_NewArray));
   writer.writeUnsigned(length());
+  writer.writeByte(uint8_t(convertDoubleElements()));
   return true;
 }
 
 RNewArray::RNewArray(CompactBufferReader& reader) {
   count_ = reader.readUnsigned();
+  convertDoubleElements_ = reader.readByte();
 }
 
 bool RNewArray::recover(JSContext* cx, SnapshotIterator& iter) const {
   RootedObject templateObject(cx, &iter.read().toObject());
   RootedValue result(cx);
   RootedObjectGroup group(cx, templateObject->group());
 
   ArrayObject* resultObject =
-      NewFullyAllocatedArrayTryUseGroup(cx, group, count_);
+      NewArrayWithGroup(cx, count_, group, convertDoubleElements_);
   if (!resultObject) {
     return false;
   }
 
   result.setObject(*resultObject);
   iter.storeInstructionResult(result);
   return true;
 }
--- a/js/src/jit/Recover.h
+++ b/js/src/jit/Recover.h
@@ -603,16 +603,17 @@ class RNewTypedArray final : public RIns
 
   MOZ_MUST_USE bool recover(JSContext* cx,
                             SnapshotIterator& iter) const override;
 };
 
 class RNewArray final : public RInstruction {
  private:
   uint32_t count_;
+  bool convertDoubleElements_;
 
  public:
   RINSTRUCTION_HEADER_NUM_OP_(NewArray, 1)
 
   MOZ_MUST_USE bool recover(JSContext* cx,
                             SnapshotIterator& iter) const override;
 };