Bug 829896 - Make typed array element accesses return undefined if the element is out of bounds, rather than accessing the prototype chain r=jandem

2024-09-13 09:24:08 -07:00 · 2013-07-09 15:29:39 -04:00 · 2013-07-09 15:29:39 -04:00 · 07257e7a4c
commit 07257e7a4c
parent c92f991c16
11 changed files with 20 additions and 87 deletions
--- a/js/src/ion/CodeGenerator.cpp
+++ b/js/src/ion/CodeGenerator.cpp
@ -6363,43 +6363,25 @@ CodeGenerator::visitLoadTypedArrayElement(LLoadTypedArrayElement *lir)
    return true;
 }

-class OutOfLineLoadTypedArray : public OutOfLineCodeBase<CodeGenerator>
-{
-    LLoadTypedArrayElementHole *ins_;
-
-  public:
-    OutOfLineLoadTypedArray(LLoadTypedArrayElementHole *ins)
-      : ins_(ins)
-    { }
-
-    bool accept(CodeGenerator *codegen) {
-        return codegen->visitOutOfLineLoadTypedArray(this);
-    }
-
-    LLoadTypedArrayElementHole *ins() const {
-        return ins_;
-    }
-};
-
 bool
 CodeGenerator::visitLoadTypedArrayElementHole(LLoadTypedArrayElementHole *lir)
 {
    Register object = ToRegister(lir->object());
    const ValueOperand out = ToOutValue(lir);

-    OutOfLineLoadTypedArray *ool = new OutOfLineLoadTypedArray(lir);
-    if (!addOutOfLineCode(ool))
-        return false;
-
    // Load the length.
    Register scratch = out.scratchReg();
    Int32Key key = ToInt32Key(lir->index());
    masm.unboxInt32(Address(object, TypedArrayObject::lengthOffset()), scratch);

-    // OOL path if index >= length.
-    masm.branchKey(Assembler::BelowOrEqual, scratch, key, ool->entry());
+    // Load undefined unless length > key.
+    Label inbounds, done;
+    masm.branchKey(Assembler::Above, scratch, key, &inbounds);
+    masm.moveValue(UndefinedValue(), out);
+    masm.jump(&done);

    // Load the elements vector.
+    masm.bind(&inbounds);
    masm.loadPtr(Address(object, TypedArrayObject::dataOffset()), scratch);

    int arrayType = lir->mir()->arrayType();
@ -6419,35 +6401,7 @@ CodeGenerator::visitLoadTypedArrayElementHole(LLoadTypedArrayElementHole *lir)
    if (fail.used() && !bailoutFrom(&fail, lir->snapshot()))
        return false;

-    masm.bind(ool->rejoin());
-    return true;
-}
-
-typedef bool (*GetElementMonitoredFn)(JSContext *, MutableHandleValue, HandleValue, MutableHandleValue);
-static const VMFunction GetElementMonitoredInfo =
-    FunctionInfo<GetElementMonitoredFn>(js::GetElementMonitored);
-
-bool
-CodeGenerator::visitOutOfLineLoadTypedArray(OutOfLineLoadTypedArray *ool)
-{
-    LLoadTypedArrayElementHole *ins = ool->ins();
-    saveLive(ins);
-
-    Register object = ToRegister(ins->object());
-    ValueOperand out = ToOutValue(ins);
-
-    if (ins->index()->isConstant())
-        pushArg(*ins->index()->toConstant());
-    else
-        pushArg(TypedOrValueRegister(MIRType_Int32, ToAnyRegister(ins->index())));
-    pushArg(TypedOrValueRegister(MIRType_Object, AnyRegister(object)));
-    if (!callVM(GetElementMonitoredInfo, ins))
-        return false;
-
-    masm.storeCallResultValue(out);
-    restoreLive(ins);
-
-    masm.jump(ool->rejoin());
+    masm.bind(&done);
    return true;
 }

--- a/js/src/ion/CodeGenerator.h
+++ b/js/src/ion/CodeGenerator.h
@ -212,7 +212,6 @@ class CodeGenerator : public CodeGeneratorSpecific
    bool visitClampIToUint8(LClampIToUint8 *lir);
    bool visitClampDToUint8(LClampDToUint8 *lir);
    bool visitClampVToUint8(LClampVToUint8 *lir);
-    bool visitOutOfLineLoadTypedArray(OutOfLineLoadTypedArray *ool);
    bool visitCallIteratorStart(LCallIteratorStart *lir);
    bool visitIteratorStart(LIteratorStart *lir);
    bool visitIteratorNext(LIteratorNext *lir);
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@ -6666,7 +6666,7 @@ IonBuilder::jsop_getelem_typed(int arrayType)
        current->add(load);
        current->push(load);

-        return resumeAfter(load) && pushTypeBarrier(load, types, needsBarrier);
+        return pushTypeBarrier(load, types, needsBarrier);
    }
 }

--- a/js/src/ion/MIR.h
+++ b/js/src/ion/MIR.h
@ -5001,9 +5001,7 @@ class MLoadTypedArrayElementHole
        return getOperand(1);
    }
    AliasSet getAliasSet() const {
-        // Out-of-bounds accesses are handled using a VM call, this may
-        // invoke getters on the prototype chain.
-        return AliasSet::Store(AliasSet::Any);
+        return AliasSet::Load(AliasSet::TypedArrayElement);
    }
 };

--- a/js/src/jit-test/tests/basic/testTypedArrayOutOfBounds.js
+++ b/js/src/jit-test/tests/basic/testTypedArrayOutOfBounds.js
@ -14,6 +14,9 @@ function f1() {
 f1();

 function f2() {
+    // Test that values on the prototype are ignored,
+    // even for OOB accesses. This behavior is new
+    // with ECMA 6 (see bug 829896).
    Object.prototype[50] = 4.4;
    Object.prototype[55] = Math;

@ -22,10 +25,6 @@ function f2() {
        var x = a[i];
        if (i < a.length)
            assertEq(x, 0);
-        else if (i === 50)
-            assertEq(x, 4.4);
-        else if (i === 55)
-            assertEq(x, Math);
        else
            assertEq(x, undefined);
    }
--- a/js/src/jit-test/tests/basic/typed-array-getprop-out-of-range.js
+++ b/js/src/jit-test/tests/basic/typed-array-getprop-out-of-range.js
@ -5,7 +5,7 @@ function test()
  for (var i = 0, sz = 9; i < sz; i++)
  {
    var ta = new Int8Array();
-    assertEq(ta[0], r);
+    assertEq(ta[0], undefined);
  }
 }
 test();
--- a/js/src/jit-test/tests/ion/typed-arrays-2.js
+++ b/js/src/jit-test/tests/ion/typed-arrays-2.js
@ -11,10 +11,8 @@ function test1() {
            assertEq(res, 0xffffee00);
        else if (i == 84)
            assertEq(res, 444);
-        else if (i == 105)
-            assertEq(res, true);
        else if (i >= 100)
            assertEq(res, undefined);
    }
 }
-test1();
+test1();
--- a/js/src/jit-test/tests/parallelarray/bug890465.js
+++ b/js/src/jit-test/tests/parallelarray/bug890465.js
@ -0,0 +1,4 @@
+x = Uint8ClampedArray()
+ParallelArray([320], function() {
+    return x[8]
+})
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@ -3706,17 +3706,6 @@ js::GetElement(JSContext *cx, MutableHandleValue lref, HandleValue rref, Mutable
    return GetElementOperation(cx, JSOP_GETELEM, lref, rref, vp);
 }

-bool
-js::GetElementMonitored(JSContext *cx, MutableHandleValue lref, HandleValue rref,
-                        MutableHandleValue vp)
-{
-    if (!GetElement(cx, lref, rref, vp))
-        return false;
-
-    TypeScript::Monitor(cx, vp);
-    return true;
-}
-
 bool
 js::CallElement(JSContext *cx, MutableHandleValue lref, HandleValue rref, MutableHandleValue res)
 {
--- a/js/src/vm/Interpreter.h
+++ b/js/src/vm/Interpreter.h
@ -415,9 +415,6 @@ Lambda(JSContext *cx, HandleFunction fun, HandleObject parent);
 bool
 GetElement(JSContext *cx, MutableHandleValue lref, HandleValue rref, MutableHandleValue res);

-bool
-GetElementMonitored(JSContext *cx, MutableHandleValue lref, HandleValue rref, MutableHandleValue res);
-
 bool
 CallElement(JSContext *cx, MutableHandleValue lref, HandleValue rref, MutableHandleValue res);

--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@ -1442,13 +1442,8 @@ class TypedArrayObjectTemplate : public TypedArrayObject
            return true;
        }

-        RootedObject proto(cx, tarray->getProto());
-        if (!proto) {
-            vp.setUndefined();
-            return true;
-        }
-
-        return JSObject::getElement(cx, proto, receiver, index, vp);
+        vp.setUndefined();
+        return true;
    }

    static JSBool