Bug 1063253 - Fix CodeGenerator::visitNewArrayCallVM to not ignore the AllocatingBehaviour value. r=h4writer

2024-10-15 14:25:52 +00:00 · 2014-09-12 14:24:24 +02:00 · 2014-09-12 14:24:24 +02:00 · de669dfe61
commit de669dfe61
parent e1334bc587
6 changed files with 9 additions and 25 deletions
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@ -1707,7 +1707,7 @@ DoNewArray(JSContext *cx, ICNewArray_Fallback *stub, uint32_t length,
 {
    FallbackICSpew(cx, stub, "NewArray");

-    JSObject *obj = NewInitArray(cx, length, type);
+    JSObject *obj = NewDenseArray(cx, length, type, NewArray_FullyAllocating);
    if (!obj)
        return false;

--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@ -3507,9 +3507,9 @@ class OutOfLineNewArray : public OutOfLineCodeBase<CodeGenerator>
    }
 };

-typedef JSObject *(*NewInitArrayFn)(JSContext *, uint32_t, types::TypeObject *);
-static const VMFunction NewInitArrayInfo =
-    FunctionInfo<NewInitArrayFn>(NewInitArray);
+typedef ArrayObject *(*NewDenseArrayFn)(ExclusiveContext *, uint32_t, HandleTypeObject,
+                                        AllocatingBehaviour);
+static const VMFunction NewDenseArrayInfo = FunctionInfo<NewDenseArrayFn>(NewDenseArray);

 bool
 CodeGenerator::visitNewArrayCallVM(LNewArray *lir)
@ -3525,10 +3525,11 @@ CodeGenerator::visitNewArrayCallVM(LNewArray *lir)
    types::TypeObject *type =
        templateObject->hasSingletonType() ? nullptr : templateObject->type();

+    pushArg(Imm32(lir->mir()->allocatingBehaviour()));
    pushArg(ImmGCPtr(type));
    pushArg(Imm32(lir->mir()->count()));

-    if (!callVM(NewInitArrayInfo, lir))
+    if (!callVM(NewDenseArrayInfo, lir))
        return false;

    if (ReturnReg != objReg)
--- a/js/src/jit/VMFunctions.cpp
+++ b/js/src/jit/VMFunctions.cpp
@ -297,23 +297,6 @@ StringsEqual(JSContext *cx, HandleString lhs, HandleString rhs, bool *res)
 template bool StringsEqual<true>(JSContext *cx, HandleString lhs, HandleString rhs, bool *res);
 template bool StringsEqual<false>(JSContext *cx, HandleString lhs, HandleString rhs, bool *res);

-JSObject*
-NewInitArray(JSContext *cx, uint32_t count, types::TypeObject *typeArg)
-{
-    RootedTypeObject type(cx, typeArg);
-    NewObjectKind newKind = !type ? SingletonObject : GenericObject;
-    if (type && type->shouldPreTenure())
-        newKind = TenuredObject;
-    RootedObject obj(cx, NewDenseFullyAllocatedArray(cx, count, nullptr, newKind));
-    if (!obj)
-        return nullptr;
-
-    if (type)
-        obj->setType(type);
-
-    return obj;
-}
-
 JSObject*
 NewInitObject(JSContext *cx, HandleObject templateObject)
 {
--- a/js/src/jit/VMFunctions.h
+++ b/js/src/jit/VMFunctions.h
@ -289,6 +289,7 @@ template <class> struct TypeToDataType { /* Unexpected return type for a VMFunct
 template <> struct TypeToDataType<bool> { static const DataType result = Type_Bool; };
 template <> struct TypeToDataType<JSObject *> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<DeclEnvObject *> { static const DataType result = Type_Object; };
+template <> struct TypeToDataType<ArrayObject *> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<JSString *> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<JSFlatString *> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<HandleObject> { static const DataType result = Type_Handle; };
@ -633,7 +634,6 @@ bool StringsEqual(JSContext *cx, HandleString left, HandleString right, bool *re

 // Allocation functions for JSOP_NEWARRAY and JSOP_NEWOBJECT and parallel array inlining
 JSObject *NewInitParallelArray(JSContext *cx, HandleObject templateObj);
-JSObject *NewInitArray(JSContext *cx, uint32_t count, types::TypeObject *type);
 JSObject *NewInitObject(JSContext *cx, HandleObject templateObject);
 JSObject *NewInitObjectWithClassPrototype(JSContext *cx, HandleObject templateObject);

--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@ -3292,7 +3292,7 @@ js::NewDenseUnallocatedArray(ExclusiveContext *cx, uint32_t length, JSObject *pr
    return NewArray<0>(cx, length, proto, newKind);
 }

-ArrayObject * JS_FASTCALL
+ArrayObject *
 js::NewDenseArray(ExclusiveContext *cx, uint32_t length, HandleTypeObject type,
                  AllocatingBehaviour allocating)
 {
--- a/js/src/jsarray.h
+++ b/js/src/jsarray.h
@ -79,7 +79,7 @@ enum AllocatingBehaviour {
 * Create a dense array with a set length, but only allocates space for the
 * contents if the length is not excessive.
 */
-extern ArrayObject * JS_FASTCALL
+extern ArrayObject *
 NewDenseArray(ExclusiveContext *cx, uint32_t length, HandleTypeObject type,
              AllocatingBehaviour allocating);