[tor-commits] [tor-browser/tor-browser-78.4.0esr-10.5-1] Bug 1675905 - Simplify IonBuilder::createThisScripted. r=jandem, iain a=RyanVM

sysrqb at torproject.org sysrqb at torproject.org
Sun Nov 8 19:40:13 UTC 2020


commit bdaa7f394393c740ab0d85443b9815121431249c
Author: Ted Campbell <tcampbell at mozilla.com>
Date:   Sat Nov 7 05:36:31 2020 +0000

    Bug 1675905 - Simplify IonBuilder::createThisScripted. r=jandem,iain a=RyanVM
    
    Differential Revision: https://phabricator.services.mozilla.com/D96309
---
 js/src/jit/IonBuilder.cpp | 29 ++++++++---------------------
 js/src/jit/IonIC.cpp      |  9 +++++++++
 2 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index 545c1b06d995..04796e620692 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -5210,31 +5210,18 @@ MDefinition* IonBuilder::createThisScripted(MDefinition* callee,
   // explicit operation in the bytecode, we cannot use resumeAfter().
   // Getters may not override |prototype| fetching, so this operation is
   // indeed idempotent.
-  // - First try an idempotent property cache.
-  // - Upon failing idempotent property cache, we can't use a non-idempotent
-  //   cache, therefore we fallback to CallGetProperty
   //
-  // Note: both CallGetProperty and GetPropertyCache can trigger a GC,
-  //       and thus invalidation.
-  MInstruction* getProto;
-  if (!invalidatedIdempotentCache()) {
-    MConstant* id = constant(StringValue(names().prototype));
-    MGetPropertyCache* getPropCache =
-        MGetPropertyCache::New(alloc(), newTarget, id,
-                               /* monitored = */ false);
-    getPropCache->setIdempotent();
-    getProto = getPropCache;
-  } else {
-    MCallGetProperty* callGetProp =
-        MCallGetProperty::New(alloc(), newTarget, names().prototype);
-    callGetProp->setIdempotent();
-    getProto = callGetProp;
-  }
-  current->add(getProto);
+  // Note: GetPropertyCache can trigger a GC, and thus invalidation.
+  MConstant* id = constant(StringValue(names().prototype));
+  MGetPropertyCache* getPropCache =
+      MGetPropertyCache::New(alloc(), newTarget, id,
+                              /* monitored = */ false);
+  getPropCache->setIdempotent();
+  current->add(getPropCache);
 
   // Create this from prototype
   MCreateThisWithProto* createThis =
-      MCreateThisWithProto::New(alloc(), callee, newTarget, getProto);
+      MCreateThisWithProto::New(alloc(), callee, newTarget, getPropCache);
   current->add(createThis);
 
   return createThis;
diff --git a/js/src/jit/IonIC.cpp b/js/src/jit/IonIC.cpp
index 1d5591d0dbf7..a0e4bd2acd6c 100644
--- a/js/src/jit/IonIC.cpp
+++ b/js/src/jit/IonIC.cpp
@@ -215,6 +215,15 @@ bool IonGetPropertyIC::update(JSContext* cx, HandleScript outerScript,
       Invalidate(cx, outerScript);
     }
 
+    // IonBuilder::createScriptedThis does not use InvalidedIdempotentCache
+    // flag so prevent bailout-loop by disabling Ion for the script.
+    MOZ_ASSERT(ic->kind() == CacheKind::GetProp);
+    if (idVal.toString()->asAtom().asPropertyName() == cx->names().prototype) {
+      if (val.isObject() && val.toObject().is<JSFunction>()) {
+        outerScript->disableIon();
+      }
+    }
+
     // We will redo the potentially effectful lookup in Baseline.
     return true;
   }





More information about the tor-commits mailing list