Bug 1500920 - Correct branchIfPretenuredGroup r=jandem
Depends on D9388
Differential Revision:
https://phabricator.services.mozilla.com/D9605
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -3408,18 +3408,25 @@ MacroAssembler::branchIfPretenuredGroup(
{
movePtr(ImmGCPtr(group), scratch);
branchIfPretenuredGroup(scratch, label);
}
void
MacroAssembler::branchIfPretenuredGroup(Register group, Label* label)
{
+ // To check for the pretenured flag we need OBJECT_FLAG_PRETENURED set, and
+ // OBJECT_FLAG_UNKNOWN_PROPERTIES unset, so check the latter first, and don't
+ // branch if it set.
+ Label unknownProperties;
+ branchTest32(Assembler::NonZero, Address(group, ObjectGroup::offsetOfFlags()),
+ Imm32(OBJECT_FLAG_UNKNOWN_PROPERTIES), &unknownProperties);
branchTest32(Assembler::NonZero, Address(group, ObjectGroup::offsetOfFlags()),
Imm32(OBJECT_FLAG_PRE_TENURE), label);
+ bind(&unknownProperties);
}
void
MacroAssembler::branchIfNonNativeObj(Register obj, Register scratch, Label* label)
{
loadObjClassUnsafe(obj, scratch);
branchTest32(Assembler::NonZero, Address(scratch, Class::offsetOfFlags()),