Bug 1500920 - Correct check for pretenured flag in unboxed objects constructors r=jandem
OBJECT_FLAG_PRE_TENURE is contained within OBJECT_FLAG_DYNAMIC_MASK, and so it
is set not only when pretenuring is required, but also whenever
OBJECT_FLAG_UNKNOWN_PROPERTIES is set. By not checking the
OBJECT_FLAG_UNKNOWN_PROPERTIES flag, the constructor will tenure allocate any
objects with the OBJECT_FLAG_UNKNOWN_PROPERTIES bit set, which may be overly
aggressive.
Differential Revision:
https://phabricator.services.mozilla.com/D9388
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@@ -128,20 +128,25 @@ UnboxedLayout::makeConstructorCode(JSCon
LiveGeneralRegisterSet savedNonVolatileRegisters = SavedNonVolatileRegisters(regs);
masm.PushRegsInMask(savedNonVolatileRegisters);
// The scratch double register might be used by MacroAssembler methods.
if (ScratchDoubleReg.volatile_()) {
masm.push(ScratchDoubleReg);
}
- Label failure, tenuredObject, allocated;
+ Label failure, tenuredObject, allocated, unknownProperties;
masm.branch32(Assembler::NotEqual, newKindReg, Imm32(GenericObject), &tenuredObject);
- masm.branchTest32(Assembler::NonZero, AbsoluteAddress(group->addressOfFlags()),
+
+ masm.load32(AbsoluteAddress(group->addressOfFlags()), scratch1);
+ masm.branchTest32(Assembler::NonZero, scratch1,
+ Imm32(OBJECT_FLAG_UNKNOWN_PROPERTIES), &unknownProperties);
+ masm.branchTest32(Assembler::NonZero, scratch1,
Imm32(OBJECT_FLAG_PRE_TENURE), &tenuredObject);
+ masm.bind(&unknownProperties);
// Allocate an object in the nursery
TemplateObject templateObj(templateObject);
masm.createGCObject(object, scratch1, templateObj, gc::DefaultHeap, &failure,
/* initFixedSlots = */ false);
masm.jump(&allocated);
masm.bind(&tenuredObject);