diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 15:11:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 15:11:26 +0000 |
commit | fcea19dfd2c426bac0456da850e7c12258e4b9eb (patch) | |
tree | a31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /js | |
parent | Adding upstream version 115.7.0esr. (diff) | |
download | firefox-esr-upstream/115.8.0esr.tar.xz firefox-esr-upstream/115.8.0esr.zip |
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js')
-rw-r--r-- | js/src/jit-test/tests/ion/bug1874502.js | 8 | ||||
-rw-r--r-- | js/src/jit/BaselineBailouts.cpp | 8 | ||||
-rw-r--r-- | js/src/jit/MacroAssembler.cpp | 4 | ||||
-rw-r--r-- | js/src/jit/arm/MacroAssembler-arm.cpp | 2 |
4 files changed, 18 insertions, 4 deletions
diff --git a/js/src/jit-test/tests/ion/bug1874502.js b/js/src/jit-test/tests/ion/bug1874502.js new file mode 100644 index 0000000000..4c3f242fc0 --- /dev/null +++ b/js/src/jit-test/tests/ion/bug1874502.js @@ -0,0 +1,8 @@ +// |jit-test| --no-threads; --fast-warmup + +function f(x) { + Math.fround(function () { x; }); +} +for (let i = 0; i < 30; i++) { + f(Math.fround(1)); +} diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp index c82a05d0ea..c13bddf97b 100644 --- a/js/src/jit/BaselineBailouts.cpp +++ b/js/src/jit/BaselineBailouts.cpp @@ -125,6 +125,8 @@ class MOZ_STACK_CLASS BaselineStackBuilder { BailoutKind bailoutKind_; + bool canUseTrialInlinedICScripts_ = true; + // The baseline frames we will reconstruct on the heap are not // rooted, so GC must be suppressed. gc::AutoSuppressGC suppress_; @@ -486,7 +488,8 @@ void BaselineStackBuilder::setNextCallee( JSFunction* nextCallee, TrialInliningState trialInliningState) { nextCallee_ = nextCallee; - if (trialInliningState == TrialInliningState::Inlined) { + if (trialInliningState == TrialInliningState::Inlined && + canUseTrialInlinedICScripts_) { // Update icScript_ to point to the icScript of nextCallee const uint32_t pcOff = script_->pcToOffset(pc_); icScript_ = icScript_->findInlinedChild(pcOff); @@ -496,6 +499,9 @@ void BaselineStackBuilder::setNextCallee( // inlined ICScript available, but we also could not if we transitioned // to TrialInliningState::Failure after being monomorphic inlined. icScript_ = nextCallee->nonLazyScript()->jitScript()->icScript(); + if (trialInliningState != TrialInliningState::MonomorphicInlined) { + canUseTrialInlinedICScripts_ = false; + } } } diff --git a/js/src/jit/MacroAssembler.cpp b/js/src/jit/MacroAssembler.cpp index 87e1aff967..641c1cf817 100644 --- a/js/src/jit/MacroAssembler.cpp +++ b/js/src/jit/MacroAssembler.cpp @@ -2662,11 +2662,11 @@ void MacroAssembler::emitMegamorphicCachedSetSlot( branchTest32(Assembler::Zero, scratch2, scratch2, &doAddDynamic); AllocatableRegisterSet regs(RegisterSet::Volatile()); - LiveRegisterSet save(regs.asLiveSet()); + regs.takeUnchecked(scratch2); + LiveRegisterSet save(regs.asLiveSet()); PushRegsInMask(save); - regs.takeUnchecked(scratch2); Register tmp; if (regs.has(obj)) { regs.takeUnchecked(obj); diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp index da358c5ec9..fe4f36ab26 100644 --- a/js/src/jit/arm/MacroAssembler-arm.cpp +++ b/js/src/jit/arm/MacroAssembler-arm.cpp @@ -4592,7 +4592,7 @@ void MacroAssembler::moveValue(const TypedOrValueRegister& src, return; } - ScratchFloat32Scope scratch(*this); + ScratchDoubleScope scratch(*this); FloatRegister freg = reg.fpu(); if (type == MIRType::Float32) { convertFloat32ToDouble(freg, scratch); |