Bug 894782 - Fix callsite cloning interaction with inline dispatch in Ion. (r=jandem)

js/src/ion/IonBuilder.cpp

@@ -4098,12 +4098,16 @@ IonBuilder::inlineCalls(CallInfo &callInfo, AutoObjectVector &targets,
     callInfo.pushFormals(dispatchBlock);
 
     // Patch any InlinePropertyTable to only contain functions that are inlineable.
-    // Also guarantee that the table uses functions from |targets| instead of |originals|.
+    //
+    // Note that we trim using originals, as callsite clones are not user
+    // visible. We don't patch the entries inside the table with the cloned
+    // targets, as the entries should only be used for comparison.
+    //
     // The InlinePropertyTable will also be patched at the end to exclude native functions
     // that vetoed inlining.
     if (maybeCache) {
         InlinePropertyTable *propTable = maybeCache->propTable();
-        propTable->trimToAndMaybePatchTargets(targets, originals);
+        propTable->trimToTargets(originals);
         if (propTable->numEntries() == 0)
             maybeCache = NULL;
     }
@@ -4153,6 +4157,10 @@ IonBuilder::inlineCalls(CallInfo &callInfo, AutoObjectVector &targets,
     // Inline each of the inlineable targets.
     JS_ASSERT(targets.length() == originals.length());
     for (uint32_t i = 0; i < targets.length(); i++) {
+        // When original != target, the target is a callsite clone. The
+        // original should be used for guards, and the target should be the
+        // actual function inlined.
+        JSFunction *original = &originals[i]->as<JSFunction>();
         JSFunction *target = &targets[i]->as<JSFunction>();
 
         // Target must be inlineable.
@@ -4160,7 +4168,7 @@ IonBuilder::inlineCalls(CallInfo &callInfo, AutoObjectVector &targets,
             continue;
 
         // Target must be reachable by the MDispatchInstruction.
-        if (maybeCache && !maybeCache->propTable()->hasFunction(target)) {
+        if (maybeCache && !maybeCache->propTable()->hasFunction(original)) {
             choiceSet[i] = false;
             continue;
         }

js/src/ion/MIR.cpp

@@ -2293,8 +2293,7 @@ InlinePropertyTable::trimTo(AutoObjectVector &targets, Vector<bool> &choiceSet)
 }
 
 void
-InlinePropertyTable::trimToAndMaybePatchTargets(AutoObjectVector &targets,
-                                                AutoObjectVector &originals)
+InlinePropertyTable::trimToTargets(AutoObjectVector &targets)
 {
     IonSpew(IonSpew_Inlining, "Got inlineable property cache with %d cases",
             (int)numEntries());
@@ -2302,12 +2301,8 @@ InlinePropertyTable::trimToAndMaybePatchTargets(AutoObjectVector &targets,
     size_t i = 0;
     while (i < numEntries()) {
         bool foundFunc = false;
-        // Compare using originals, but if we find a matching function,
-        // patch it to the target, which might be a clone.
-        for (size_t j = 0; j < originals.length(); j++) {
-            if (entries_[i]->func == originals[j]) {
-                if (entries_[i]->func != targets[j])
-                    entries_[i] = new Entry(entries_[i]->typeObj, &targets[j]->as<JSFunction>());
+        for (size_t j = 0; j < targets.length(); j++) {
+            if (entries_[i]->func == targets[j]) {
                 foundFunc = true;
                 break;
             }

js/src/ion/MIR.h

@@ -5464,7 +5464,7 @@ class InlinePropertyTable : public TempObject
     void trimTo(AutoObjectVector &targets, Vector<bool> &choiceSet);
 
     // Ensure that the InlinePropertyTable's domain is a subset of |targets|.
-    void trimToAndMaybePatchTargets(AutoObjectVector &targets, AutoObjectVector &originals);
+    void trimToTargets(AutoObjectVector &targets);
 };
 
 class MGetPropertyCache

js/src/jit-test/tests/parallelarray/bug894782.js

@@ -0,0 +1,4 @@
+// Don't crash
+
+print(ParallelArray())
+String(Object.create(ParallelArray(8077, function() {})))