Bug 893732 - Ensure indexes are integers when loading/storing to static typed arrays, r=jandem.

js/src/ion/MIR.h

@@ -5042,7 +5042,9 @@ class MLoadTypedArrayElementHole
 };
 
 // Load a value fallibly or infallibly from a statically known typed array.
-class MLoadTypedArrayElementStatic : public MUnaryInstruction
+class MLoadTypedArrayElementStatic
+  : public MUnaryInstruction,
+    public IntPolicy<0>
 {
     MLoadTypedArrayElementStatic(TypedArrayObject *typedArray, MDefinition *ptr)
       : MUnaryInstruction(ptr), typedArray_(typedArray), fallible_(true)
@@ -5081,6 +5083,10 @@ class MLoadTypedArrayElementStatic : public MUnaryInstruction
         fallible_ = false;
     }
 
+    TypePolicy *typePolicy() {
+        return this;
+    }
+
     void computeRange();
     bool truncate();
 };

js/src/ion/TypePolicy.cpp

@@ -324,6 +324,9 @@ IntPolicy<Op>::staticAdjustInputs(MInstruction *def)
     if (in->type() == MIRType_Int32)
         return true;
 
+    if (in->type() != MIRType_Value)
+        in = boxAt(def, in);
+
     MUnbox *replace = MUnbox::New(in, MIRType_Int32, MUnbox::Fallible);
     def->block()->insertBefore(def, replace);
     def->replaceOperand(Op, replace);
@@ -562,9 +565,9 @@ bool
 StoreTypedArrayElementStaticPolicy::adjustInputs(MInstruction *ins)
 {
     MStoreTypedArrayElementStatic *store = ins->toStoreTypedArrayElementStatic();
-    JS_ASSERT(store->ptr()->type() == MIRType_Int32);
 
-    return adjustValueInput(ins, store->viewType(), store->value(), 1);
+    return IntPolicy<0>::staticAdjustInputs(ins) &&
+        adjustValueInput(ins, store->viewType(), store->value(), 1);
 }
 
 bool

js/src/jit-test/tests/ion/bug893732.js

@@ -0,0 +1,14 @@
+
+var arr = new Int8Array(100);
+function f(a) {
+  for(var i=0; i<30; i++) {
+    x = a[85.3];
+  }
+}
+f(arr);
+
+var buf = serialize(new Date(NaN));
+var n =  -(8.64e15 + 1);
+var nbuf = serialize(n);
+for (var j = 0; j < 8; j++)
+  buf[j + (0.00000000123)] = nbuf[j];