commit bdaa7f394393c740ab0d85443b9815121431249c Author: Ted Campbell tcampbell@mozilla.com Date: Sat Nov 7 05:36:31 2020 +0000
Bug 1675905 - Simplify IonBuilder::createThisScripted. r=jandem,iain a=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D96309 --- js/src/jit/IonBuilder.cpp | 29 ++++++++--------------------- js/src/jit/IonIC.cpp | 9 +++++++++ 2 files changed, 17 insertions(+), 21 deletions(-)
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp index 545c1b06d995..04796e620692 100644 --- a/js/src/jit/IonBuilder.cpp +++ b/js/src/jit/IonBuilder.cpp @@ -5210,31 +5210,18 @@ MDefinition* IonBuilder::createThisScripted(MDefinition* callee, // explicit operation in the bytecode, we cannot use resumeAfter(). // Getters may not override |prototype| fetching, so this operation is // indeed idempotent. - // - First try an idempotent property cache. - // - Upon failing idempotent property cache, we can't use a non-idempotent - // cache, therefore we fallback to CallGetProperty // - // Note: both CallGetProperty and GetPropertyCache can trigger a GC, - // and thus invalidation. - MInstruction* getProto; - if (!invalidatedIdempotentCache()) { - MConstant* id = constant(StringValue(names().prototype)); - MGetPropertyCache* getPropCache = - MGetPropertyCache::New(alloc(), newTarget, id, - /* monitored = */ false); - getPropCache->setIdempotent(); - getProto = getPropCache; - } else { - MCallGetProperty* callGetProp = - MCallGetProperty::New(alloc(), newTarget, names().prototype); - callGetProp->setIdempotent(); - getProto = callGetProp; - } - current->add(getProto); + // Note: GetPropertyCache can trigger a GC, and thus invalidation. + MConstant* id = constant(StringValue(names().prototype)); + MGetPropertyCache* getPropCache = + MGetPropertyCache::New(alloc(), newTarget, id, + /* monitored = */ false); + getPropCache->setIdempotent(); + current->add(getPropCache);
// Create this from prototype MCreateThisWithProto* createThis = - MCreateThisWithProto::New(alloc(), callee, newTarget, getProto); + MCreateThisWithProto::New(alloc(), callee, newTarget, getPropCache); current->add(createThis);
return createThis; diff --git a/js/src/jit/IonIC.cpp b/js/src/jit/IonIC.cpp index 1d5591d0dbf7..a0e4bd2acd6c 100644 --- a/js/src/jit/IonIC.cpp +++ b/js/src/jit/IonIC.cpp @@ -215,6 +215,15 @@ bool IonGetPropertyIC::update(JSContext* cx, HandleScript outerScript, Invalidate(cx, outerScript); }
+ // IonBuilder::createScriptedThis does not use InvalidedIdempotentCache + // flag so prevent bailout-loop by disabling Ion for the script. + MOZ_ASSERT(ic->kind() == CacheKind::GetProp); + if (idVal.toString()->asAtom().asPropertyName() == cx->names().prototype) { + if (val.isObject() && val.toObject().is<JSFunction>()) { + outerScript->disableIon(); + } + } + // We will redo the potentially effectful lookup in Baseline. return true; }