Bug 1472132 - Don't inline non-scripted functions in Ion when constructing and new.target != the callee. r=anba

2024-11-24 21:31:04 +00:00 · 2018-07-02 18:34:02 +02:00 · 2018-07-02 18:34:02 +02:00 · a94a5f8023
commit a94a5f8023
parent 2f36e69ffe
3 changed files with 26 additions and 0 deletions
--- a/js/public/TrackedOptimizationInfo.h
+++ b/js/public/TrackedOptimizationInfo.h
@ -208,6 +208,7 @@ namespace JS {
    _(CantInlineNativeNoTemplateObj)                                    \
    _(CantInlineBound)                                                  \
    _(CantInlineNativeNoSpecialization)                                 \
+    _(CantInlineUnexpectedNewTarget)                                    \
    _(HasCommonInliningPath)                                            \
                                                                        \
    _(GenericSuccess)                                                   \
--- a/js/src/jit-test/tests/ion/bug1472132.js
+++ b/js/src/jit-test/tests/ion/bug1472132.js
@ -0,0 +1,11 @@
+function f() {
+    for (var i = 0; i < 1200; i++) {
+        var o1 = Reflect.construct(Array, [], Object);
+        var o2 = Reflect.construct(String, [""], Object);
+        var o3 = Reflect.construct(Int32Array, [0], Object);
+        assertEq(o1.__proto__, Object.prototype);
+        assertEq(o2.__proto__, Object.prototype);
+        assertEq(o3.__proto__, Object.prototype);
+    }
+}
+f();
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@ -65,6 +65,13 @@ IonBuilder::inlineNativeCall(CallInfo& callInfo, JSFunction* target)
        return InliningStatus_NotInlined;
    }

+    // Don't inline if we're constructing and new.target != callee. This can
+    // happen with Reflect.construct or derived class constructors.
+    if (callInfo.constructing() && callInfo.getNewTarget() != callInfo.fun()) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineUnexpectedNewTarget);
+        return InliningStatus_NotInlined;
+    }
+
    // Default failure reason is observing an unsupported type.
    trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadType);

@ -462,6 +469,13 @@ IonBuilder::inlineNonFunctionCall(CallInfo& callInfo, JSObject* target)

    MOZ_ASSERT(target->nonCCWRealm() == script()->realm());

+    // Don't inline if we're constructing and new.target != callee. This can
+    // happen with Reflect.construct or derived class constructors.
+    if (callInfo.constructing() && callInfo.getNewTarget() != callInfo.fun()) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineUnexpectedNewTarget);
+        return InliningStatus_NotInlined;
+    }
+
    if (callInfo.constructing() && target->constructHook() == TypedObject::construct)
        return inlineConstructTypedObject(callInfo, &target->as<TypeDescr>());