Bug 861165 - Fix JM JSOP_IN bug with negative index. r=bhackett

This commit is contained in:
Jan de Mooij 2013-04-20 16:14:17 +02:00
parent 68736ae7ee
commit 52d7cf0ec4
2 changed files with 8 additions and 5 deletions

View File

@ -1,5 +1,3 @@
// |jit-test| no-jm
// IM has the following fastpaths:
// - constant index (constant)
// - need negative int check (neg)

View File

@ -7665,9 +7665,11 @@ mjit::Compiler::jsop_in()
if (cx->typeInferenceEnabled() && id->isType(JSVAL_TYPE_INT32)) {
types::StackTypeSet *types = analysis->poppedTypes(PC, 0);
bool isNegative = id->isConstant() && id->getValue().toInt32() < 0;
if (obj->mightBeType(JSVAL_TYPE_OBJECT) &&
types->getKnownClass() == &ArrayClass &&
!isNegative &&
!types->hasObjectFlags(cx, types::OBJECT_FLAG_SPARSE_INDEXES) &&
!types::ArrayPrototypeHasIndexedProperty(cx, outerScript))
{
@ -7685,6 +7687,11 @@ mjit::Compiler::jsop_in()
? Int32Key::FromConstant(id->getValue().toInt32())
: Int32Key::FromRegister(frame.tempRegForData(id));
if (!id->isConstant()) {
Jump isNegative = masm.branch32(Assembler::LessThan, key.reg(), Imm32(0));
stubcc.linkExit(isNegative, Uses(2));
}
masm.loadPtr(Address(dataReg, JSObject::offsetOfElements()), dataReg);
// Guard on the array's initialized length.
@ -7714,10 +7721,8 @@ mjit::Compiler::jsop_in()
if (dataReg != Registers::ReturnReg)
stubcc.masm.move(Registers::ReturnReg, dataReg);
frame.pushTypedPayload(JSVAL_TYPE_BOOLEAN, dataReg);
stubcc.rejoin(Changes(2));
frame.pushTypedPayload(JSVAL_TYPE_BOOLEAN, dataReg);
return;
}
}