928464 - Handle array/object initializers in 'new' scripts

Status: RESOLVED DUPLICATE of bug 928562

(Core :: JavaScript Engine: JIT, defect)

Description

[Brian Hackett [Laid off!]]

Attachment: patch

This is a regression from bug 922270, when we run the definite properties analysis on a script it has usually not been baseline compiled, and we end up aborting the analysis if template objects can't be obtained from newarray or newobject operations in the script.

Comment 1

[Jan de Mooij [:jandem]]

Comment on attachment 819117 [details] [diff] [review]
patch

Review of attachment 819117 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/IonBuilder.cpp
@@ +5439,5 @@
>      bool needStub = false;
> +    if (!obj->resultTypeSet() || obj->resultTypeSet()->unknownObject()) {
> +        needStub = true;
> +    } else {
> +        types::TypeObjectKey *initializer = obj->resultTypeSet()->getObject(0);

Pre-existing, but can we assert getObjectCount() == 1 here?

@@ +5515,4 @@
>  
>      RootedObject templateObject(cx, obj->toNewObject()->templateObject());
>  
>      if (!CanEffectlesslyCallLookupGenericOnObject(cx, templateObject, name))

Can you move this call inside the "if (templateObject)" below? CanEffectlesslyCallLookupGenericOnObject currently returns |true| if templateObject == nullptr so there's not really a problem atm but better to avoid the call in that case.

Comment 2

[Brian Hackett [Laid off!]]

Actually, I think it'd be better to just wait for bug 928562 for this fix.  That bug reworks things a bit so that we baseline compile the script before the definite properties analysis (so that BytecodeTypes works) which will make these template objects available to IonBuilder.