Bug 1006885 - IonMonkey: Disable fastpath of bound function for constructing calls with a known non-native, r=jandem

2024-11-01 14:45:29 +00:00 · 2014-05-09 13:23:59 +02:00 · 2014-05-09 13:23:59 +02:00 · 679bd2c98f
commit 679bd2c98f
parent f746967097
2 changed files with 18 additions and 0 deletions
--- a/js/src/jit-test/tests/ion/bug1006885.js
+++ b/js/src/jit-test/tests/ion/bug1006885.js
@ -0,0 +1,9 @@
+function checkConstruct(thing, buggy) {
+    try {
+        new thing();
+    } catch (e) {}
+}
+var boundFunctionPrototype = Function.prototype.bind();
+checkConstruct(boundFunctionPrototype, true);
+var boundBuiltin = Math.sin.bind();
+checkConstruct(boundBuiltin, true);
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@ -1918,6 +1918,15 @@ IonBuilder::inlineBoundFunction(CallInfo &nativeCallInfo, JSFunction *target)
    JSFunction *scriptedTarget = &(target->getBoundFunctionTarget()->as<JSFunction>());
    JSRuntime *runtime = scriptedTarget->runtimeFromMainThread();

+    // Don't optimize if we're constructing and the callee is not a
+    // constructor, so that CallKnown does not have to handle this case
+    // (it should always throw).
+    if (nativeCallInfo.constructing() && !scriptedTarget->isInterpretedConstructor() &&
+        !scriptedTarget->isNativeConstructor())
+    {
+        return InliningStatus_NotInlined;
+    }
+
    if (gc::IsInsideNursery(runtime, scriptedTarget))
        return InliningStatus_NotInlined;