Bug 804676 - Fix various fuzz bugs.

2024-09-13 09:24:08 -07:00 · 2013-04-12 07:25:50 -06:00 · 2013-04-12 07:25:50 -06:00 · 09310478d5
commit 09310478d5
parent 2b38007157
4 changed files with 19 additions and 4 deletions
--- a/js/src/ion/BaselineInspector.cpp
+++ b/js/src/ion/BaselineInspector.cpp
@ -64,6 +64,10 @@ BaselineInspector::expectedResultType(jsbytecode *pc)
 {
    // Look at the IC entries for this op to guess what type it will produce,
    // returning MIRType_None otherwise.
+
+    if (!hasBaselineScript())
+        return MIRType_None;
+
    const ICEntry &entry = icEntryFromPC(pc);

    ICStub *stub = entry.firstStub();
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@ -186,6 +186,8 @@ IonBuilder::getPolyCallTargets(types::StackTypeSet *calleeTypes,
            targets.clear();
            return true;
        }
+        if (obj->toFunction()->isInterpreted() && !obj->toFunction()->getOrCreateScript(cx))
+            return false;
        if (!targets.append(obj))
            return false;
    }
@ -323,9 +325,11 @@ IonBuilder::analyzeNewLoopTypes(MBasicBlock *entry, jsbytecode *start, jsbytecod
            uint32_t slot = (*last == JSOP_GETLOCAL)
                            ? info().localSlot(GET_SLOTNO(last))
                            : info().argSlot(GET_SLOTNO(last));
-            MPhi *otherPhi = entry->getSlot(slot)->toPhi();
-            if (otherPhi->hasBackedgeType())
-                phi->addBackedgeType(otherPhi->type(), otherPhi->resultTypeSet());
+            if (slot < info().firstStackSlot()) {
+                MPhi *otherPhi = entry->getSlot(slot)->toPhi();
+                if (otherPhi->hasBackedgeType())
+                    phi->addBackedgeType(otherPhi->type(), otherPhi->resultTypeSet());
+            }
        } else {
            MIRType type = MIRType_None;
            switch (*last) {
@ -5184,7 +5188,7 @@ IonBuilder::newOsrPreheader(MBasicBlock *predecessor, jsbytecode *loopEntry)
            MergeTypes(&existingType, &existingTypeSet, type, typeSet);
        }

-        if (existingTypeSet) {
+        if (existingTypeSet && !existingTypeSet->unknown()) {
            MInstruction *barrier = MTypeBarrier::New(def, existingTypeSet);
            osrBlock->add(barrier);
            osrBlock->rewriteSlot(i, barrier);
@ -5354,6 +5358,9 @@ TestSingletonProperty(JSContext *cx, HandleObject obj, JSObject *singleton,

    *isKnownConstant = false;

+    if (id != types::IdToTypeId(id))
+        return true;
+
    if (!CanEffectlesslyCallLookupGenericOnObject(obj))
        return true;

--- a/js/src/ion/MIR.h
+++ b/js/src/ion/MIR.h
@ -6565,6 +6565,7 @@ class MTypeBarrier
    MTypeBarrier(MDefinition *def, types::StackTypeSet *types, BailoutKind bailoutKind)
      : MUnaryInstruction(def)
    {
+        JS_ASSERT(!types->unknown());
        setResultType(MIRType_Value);
        setResultTypeSet(types);
        setGuard();
--- a/js/src/ion/shared/Lowering-shared-inl.h
+++ b/js/src/ion/shared/Lowering-shared-inl.h
@ -402,6 +402,9 @@ LIRGeneratorShared::add(T *ins, MInstruction *mir)
 static inline uint32_t
 VirtualRegisterOfPayload(MDefinition *mir)
 {
+    // Type barriers may have box inputs, and pass through their input's vreg.
+    if (mir->isTypeBarrier())
+        mir = mir->getOperand(0);
    if (mir->isBox()) {
        MDefinition *inner = mir->toBox()->getOperand(0);
        if (!inner->isConstant() && inner->type() != MIRType_Double)