Bug 785576 - Mark dense array properties as 'own'. (r=bhackett)
authorEric Faust <efaustbmo@gmail.com>
Mon, 27 Aug 2012 13:34:52 -0400
changeset 105618 efc2630b978a8f758dcf9abe34b4bab25cd665de
parent 105617 72e95bee76fa7d6d8fba20342f97889c8ecbb320
child 105619 61efc4bbf95b58fffe94dd4d30e5407a5c75173f
push id55
push usershu@rfrn.org
push dateThu, 30 Aug 2012 01:33:09 +0000
reviewersbhackett
bugs785576
milestone17.0a1
Bug 785576 - Mark dense array properties as 'own'. (r=bhackett)
js/src/jsinfer.cpp
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -1082,19 +1082,24 @@ PropertyAccess(JSContext *cx, JSScript *
     if (access != PROPERTY_WRITE) {
         if (JSObject *singleton = object->singleton ? object->singleton : object->proto) {
             Type type = GetSingletonPropertyType(cx, singleton, id);
             if (!type.isUnknown())
                 target->addType(cx, type);
         }
     }
 
-    /* Capture the effects of a standard property access. Never mark the
-     * property as own, as it may have inherited accessors. */
-    HeapTypeSet *types = object->getProperty(cx, id, false);
+    /*
+     * Capture the effects of a standard property access.  For assignments, we do not
+     * automatically update the 'own' bit on accessed properties, except for indexed
+     * elements in dense arrays.  The latter exception allows for JIT fast paths to avoid
+     * testing the array's type when assigning to dense array elements.
+     */
+    bool markOwn = access == PROPERTY_WRITE && JSID_IS_VOID(id);
+    HeapTypeSet *types = object->getProperty(cx, id, markOwn);
     if (!types)
         return;
     if (access == PROPERTY_WRITE) {
         target->addSubset(cx, types);
     } else {
         JS_ASSERT_IF(script->hasAnalysis(),
                      target == script->analysis()->bytecodeTypes(pc));
         if (!types->hasPropagatedProperty())