Bug 1500920 - Correct check for pretenured flag in unboxed objects constructors r=jandem

OBJECT_FLAG_PRE_TENURE is contained within OBJECT_FLAG_DYNAMIC_MASK, and so it is set not only when pretenuring is required, but also whenever OBJECT_FLAG_UNKNOWN_PROPERTIES is set. By not checking the OBJECT_FLAG_UNKNOWN_PROPERTIES flag, the constructor will tenure allocate any objects with the OBJECT_FLAG_UNKNOWN_PROPERTIES bit set, which may be overly aggressive. Differential Revision: https://phabricator.services.mozilla.com/D9388 --HG-- extra : moz-landing-system : lando
2018-10-23 23:56:42 +00:00 · 2018-10-23 23:56:42 +00:00 · 0124cc62ab
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@ -133,10 +133,15 @@ UnboxedLayout::makeConstructorCode(JSContext* cx, HandleObjectGroup group)
        masm.push(ScratchDoubleReg);
    }

-    Label failure, tenuredObject, allocated;
+    Label failure, tenuredObject, allocated, unknownProperties;
    masm.branch32(Assembler::NotEqual, newKindReg, Imm32(GenericObject), &tenuredObject);
-    masm.branchTest32(Assembler::NonZero, AbsoluteAddress(group->addressOfFlags()),
+
+    masm.load32(AbsoluteAddress(group->addressOfFlags()), scratch1);
+    masm.branchTest32(Assembler::NonZero, scratch1,
+                      Imm32(OBJECT_FLAG_UNKNOWN_PROPERTIES), &unknownProperties);
+    masm.branchTest32(Assembler::NonZero, scratch1,
                      Imm32(OBJECT_FLAG_PRE_TENURE), &tenuredObject);
+    masm.bind(&unknownProperties);

    // Allocate an object in the nursery
    TemplateObject templateObj(templateObject);