summaryrefslogtreecommitdiffstats
path: root/js/src
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 15:11:27 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 15:11:27 +0000
commitf3bcaf9f88aad2c423ebcd61121562f9834187d4 (patch)
treef22238c29b57707b645a350940e3e9bdf3ce1f5d /js/src
parentAdding debian version 115.7.0esr-1~deb12u1. (diff)
downloadfirefox-esr-f3bcaf9f88aad2c423ebcd61121562f9834187d4.tar.xz
firefox-esr-f3bcaf9f88aad2c423ebcd61121562f9834187d4.zip
Merging upstream version 115.8.0esr.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src')
-rw-r--r--js/src/jit-test/tests/ion/bug1874502.js8
-rw-r--r--js/src/jit/BaselineBailouts.cpp8
-rw-r--r--js/src/jit/MacroAssembler.cpp4
-rw-r--r--js/src/jit/arm/MacroAssembler-arm.cpp2
4 files changed, 18 insertions, 4 deletions
diff --git a/js/src/jit-test/tests/ion/bug1874502.js b/js/src/jit-test/tests/ion/bug1874502.js
new file mode 100644
index 0000000000..4c3f242fc0
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1874502.js
@@ -0,0 +1,8 @@
+// |jit-test| --no-threads; --fast-warmup
+
+function f(x) {
+ Math.fround(function () { x; });
+}
+for (let i = 0; i < 30; i++) {
+ f(Math.fround(1));
+}
diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp
index c82a05d0ea..c13bddf97b 100644
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -125,6 +125,8 @@ class MOZ_STACK_CLASS BaselineStackBuilder {
BailoutKind bailoutKind_;
+ bool canUseTrialInlinedICScripts_ = true;
+
// The baseline frames we will reconstruct on the heap are not
// rooted, so GC must be suppressed.
gc::AutoSuppressGC suppress_;
@@ -486,7 +488,8 @@ void BaselineStackBuilder::setNextCallee(
JSFunction* nextCallee, TrialInliningState trialInliningState) {
nextCallee_ = nextCallee;
- if (trialInliningState == TrialInliningState::Inlined) {
+ if (trialInliningState == TrialInliningState::Inlined &&
+ canUseTrialInlinedICScripts_) {
// Update icScript_ to point to the icScript of nextCallee
const uint32_t pcOff = script_->pcToOffset(pc_);
icScript_ = icScript_->findInlinedChild(pcOff);
@@ -496,6 +499,9 @@ void BaselineStackBuilder::setNextCallee(
// inlined ICScript available, but we also could not if we transitioned
// to TrialInliningState::Failure after being monomorphic inlined.
icScript_ = nextCallee->nonLazyScript()->jitScript()->icScript();
+ if (trialInliningState != TrialInliningState::MonomorphicInlined) {
+ canUseTrialInlinedICScripts_ = false;
+ }
}
}
diff --git a/js/src/jit/MacroAssembler.cpp b/js/src/jit/MacroAssembler.cpp
index 87e1aff967..641c1cf817 100644
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -2662,11 +2662,11 @@ void MacroAssembler::emitMegamorphicCachedSetSlot(
branchTest32(Assembler::Zero, scratch2, scratch2, &doAddDynamic);
AllocatableRegisterSet regs(RegisterSet::Volatile());
- LiveRegisterSet save(regs.asLiveSet());
+ regs.takeUnchecked(scratch2);
+ LiveRegisterSet save(regs.asLiveSet());
PushRegsInMask(save);
- regs.takeUnchecked(scratch2);
Register tmp;
if (regs.has(obj)) {
regs.takeUnchecked(obj);
diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp
index da358c5ec9..fe4f36ab26 100644
--- a/js/src/jit/arm/MacroAssembler-arm.cpp
+++ b/js/src/jit/arm/MacroAssembler-arm.cpp
@@ -4592,7 +4592,7 @@ void MacroAssembler::moveValue(const TypedOrValueRegister& src,
return;
}
- ScratchFloat32Scope scratch(*this);
+ ScratchDoubleScope scratch(*this);
FloatRegister freg = reg.fpu();
if (type == MIRType::Float32) {
convertFloat32ToDouble(freg, scratch);