Bug 1231163 - Don't assume the RNG's been initialized by a prior call to Math.random, when a call to Math.random is being inlined. (A method can be inlined once its identity has been guarded against, but mere identity can be established without the method having been called.) r=jwalden

2024-09-13 09:24:08 -07:00 · 2015-12-09 22:14:53 -02:00 · 2015-12-09 22:14:53 -02:00 · 32ab0e4a93
commit 32ab0e4a93
parent a10668eec6
2 changed files with 15 additions and 2 deletions
--- a/js/src/jit-test/tests/ion/inline-Math-random-before-called.js
+++ b/js/src/jit-test/tests/ion/inline-Math-random-before-called.js
@ -0,0 +1,11 @@
+// |jit-test| ion-eager
+
+function ionCompiledEagerly() {
+    Math.random; // establish Math.random's identity for inlining
+    return function() {
+        return +Math.random(); // call will be inlined
+    };
+}
+
+var alreadyIonCompiled = ionCompiledEagerly();
+assertEq(alreadyIonCompiled() < 1, true);
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@ -1360,8 +1360,10 @@ IonBuilder::inlineMathRandom(CallInfo& callInfo)
    if (getInlineReturnType() != MIRType_Double)
        return InliningStatus_NotInlined;

-    MOZ_ASSERT(script()->compartment()->randomNumberGenerator.isSome(),
-               "MRandom JIT code depends on RNG being initialized");
+    // MRandom JIT code directly accesses the RNG. It's (barely) possible to
+    // inline Math.random without it having been called yet, so ensure RNG
+    // state that isn't guaranteed to be initialized already.
+    script()->compartment()->ensureRandomNumberGenerator();

    callInfo.setImplicitlyUsedUnchecked();