commit 147aeb3677abafce2007637b7e67c79f1d409a7b
parent f30ca5d6dabe63618ee607282e1fa83708c840b4
Author: Jan de Mooij <jdemooij@mozilla.com>
Date: Wed, 8 Oct 2025 06:18:23 +0000
Bug 1992999 part 2 - Don't emit post barriers in Ion for constant values. r=iain
These values can't be in the nursery so the barrier is always a no-op.
Differential Revision: https://phabricator.services.mozilla.com/D267849
Diffstat:
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
@@ -4237,6 +4237,15 @@ void LIRGenerator::visitStoreDynamicSlot(MStoreDynamicSlot* ins) {
void LIRGenerator::visitPostWriteBarrier(MPostWriteBarrier* ins) {
MOZ_ASSERT(ins->object()->type() == MIRType::Object);
+ // We need a barrier if the value might be allocated in the nursery. If the
+ // value is a constant, it must be tenured because MIR can't contain nursery
+ // pointers.
+ MConstant* constValue = ins->value()->maybeConstantValue();
+ if (constValue) {
+ MOZ_ASSERT(JS::GCPolicy<Value>::isTenured(constValue->toJSValue()));
+ return;
+ }
+
switch (ins->value()->type()) {
case MIRType::Object: {
LDefinition tmp =
@@ -4275,8 +4284,9 @@ void LIRGenerator::visitPostWriteBarrier(MPostWriteBarrier* ins) {
break;
}
default:
- // Currently, only objects and strings can be in the nursery. Other
- // instruction types cannot hold nursery pointers.
+ // Currently, only objects, strings, and bigints can be in the nursery.
+ // Other instruction types cannot hold nursery pointers.
+ MOZ_ASSERT(!NeedsPostBarrier(ins->value()->type()));
break;
}
}
@@ -4285,6 +4295,15 @@ void LIRGenerator::visitPostWriteElementBarrier(MPostWriteElementBarrier* ins) {
MOZ_ASSERT(ins->object()->type() == MIRType::Object);
MOZ_ASSERT(ins->index()->type() == MIRType::Int32);
+ // We need a barrier if the value might be allocated in the nursery. If the
+ // value is a constant, it must be tenured because MIR can't contain nursery
+ // pointers.
+ MConstant* constValue = ins->value()->maybeConstantValue();
+ if (constValue) {
+ MOZ_ASSERT(JS::GCPolicy<Value>::isTenured(constValue->toJSValue()));
+ return;
+ }
+
switch (ins->value()->type()) {
case MIRType::Object: {
LDefinition tmp =
@@ -4329,6 +4348,7 @@ void LIRGenerator::visitPostWriteElementBarrier(MPostWriteElementBarrier* ins) {
default:
// Currently, only objects, strings, and bigints can be in the nursery.
// Other instruction types cannot hold nursery pointers.
+ MOZ_ASSERT(!NeedsPostBarrier(ins->value()->type()));
break;
}
}
