Bug 1149119 - Do not inline bound functions with non-atomized arguments. r=jandem

js/src/jit/IonBuilder.cpp

@@ -12873,17 +12873,8 @@ IonBuilder::storeReferenceTypedObjectValue(MDefinition* typedObj,
 MConstant*
 IonBuilder::constant(const Value& v)
 {
-    // For performance reason (TLS) and error code handling (AtomizeString), we
-    // should prefer the specialized frunction constantMaybeAtomize instead of
-    // constant.
     MOZ_ASSERT(!v.isString() || v.toString()->isAtom(),
-               "To handle non-atomized strings, you should use constantMaybeAtomize instead of constant.");
-    if (v.isString() && MOZ_UNLIKELY(!v.toString()->isAtom())) {
-        MConstant* cst = constantMaybeAtomize(v);
-        if (!cst)
-            js::CrashAtUnhandlableOOM("Use constantMaybeAtomize.");
-        return cst;
-    }
+               "Handle non-atomized strings outside IonBuilder.");
 
     MConstant* c = MConstant::New(alloc(), v, constraints());
     current->add(c);
@@ -12896,19 +12887,6 @@ IonBuilder::constantInt(int32_t i)
     return constant(Int32Value(i));
 }
 
-MConstant*
-IonBuilder::constantMaybeAtomize(const Value& v)
-{
-    if (!v.isString() || v.toString()->isAtom())
-        return constant(v);
-
-    JSContext* cx = GetJitContext()->cx;
-    JSAtom* atom = js::AtomizeString(cx, v.toString());
-    if (!atom)
-        return nullptr;
-    return constant(StringValue(atom));
-}
-
 MDefinition*
 IonBuilder::getCallee()
 {

js/src/jit/IonBuilder.h

@@ -353,9 +353,6 @@ class IonBuilder
     MConstant* constant(const Value& v);
     MConstant* constantInt(int32_t i);
 
-    // Note: This function might return nullptr in case of failure.
-    MConstant* constantMaybeAtomize(const Value& v);
-
     // Improve the type information at tests
     bool improveTypesAtTest(MDefinition* ins, bool trueBranch, MTest* test);
     bool improveTypesAtCompare(MCompare* ins, bool trueBranch, MTest* test);

js/src/jit/MCallOptimize.cpp

@@ -2769,11 +2769,15 @@ IonBuilder::inlineBoundFunction(CallInfo& nativeCallInfo, JSFunction* target)
         const Value val = target->getBoundFunctionArgument(i);
         if (val.isObject() && gc::IsInsideNursery(&val.toObject()))
             return InliningStatus_NotInlined;
+        if (val.isString() && !val.toString()->isAtom())
+            return InliningStatus_NotInlined;
     }
 
     const Value thisVal = target->getBoundFunctionThis();
     if (thisVal.isObject() && gc::IsInsideNursery(&thisVal.toObject()))
         return InliningStatus_NotInlined;
+    if (thisVal.isString() && !thisVal.toString()->isAtom())
+        return InliningStatus_NotInlined;
 
     size_t argc = target->getBoundFunctionArgumentCount() + nativeCallInfo.argc();
     if (argc > ARGS_LENGTH_MAX)
@@ -2783,18 +2787,13 @@ IonBuilder::inlineBoundFunction(CallInfo& nativeCallInfo, JSFunction* target)
 
     CallInfo callInfo(alloc(), nativeCallInfo.constructing());
     callInfo.setFun(constant(ObjectValue(*scriptedTarget)));
-    MConstant* thisConst = constantMaybeAtomize(thisVal);
-    if (!thisConst)
-        return InliningStatus_Error;
-    callInfo.setThis(thisConst);
+    callInfo.setThis(constant(thisVal));
 
     if (!callInfo.argv().reserve(argc))
         return InliningStatus_Error;
 
     for (size_t i = 0; i < target->getBoundFunctionArgumentCount(); i++) {
-        MConstant* argConst = constantMaybeAtomize(target->getBoundFunctionArgument(i));
-        if (!argConst)
-            return InliningStatus_Error;
+        MConstant* argConst = constant(target->getBoundFunctionArgument(i));
         callInfo.argv().infallibleAppend(argConst);
     }
     for (size_t i = 0; i < nativeCallInfo.argc(); i++)