Bug 829795 - Tolerate statically known dense arrays during JM compilation, r=dvander.

2024-09-13 09:24:08 -07:00 · 2013-01-14 16:19:37 -07:00 · 2013-01-14 16:19:37 -07:00 · 9af439c4d7
commit 9af439c4d7
parent f46a1207b1
3 changed files with 12 additions and 0 deletions
--- a/js/src/jit-test/tests/basic/bug829795.js
+++ b/js/src/jit-test/tests/basic/bug829795.js
@ -0,0 +1,7 @@
+// |jit-test| error: TypeError
+
+try {
+    x = [];
+    Array.prototype.forEach()
+} catch (e) {}
+x.forEach()
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -5086,6 +5086,7 @@ mjit::Compiler::jsop_getprop(HandlePropertyName name, JSValueType knownType,
         * must fit in an int32_t.
         */
        if (!types->hasObjectFlags(cx, types::OBJECT_FLAG_NON_DENSE_ARRAY)) {
+            frame.forgetMismatchedObject(top);
            bool isObject = top->isTypeKnown();
            if (!isObject) {
                Jump notObject = frame.testObject(Assembler::NotEqual, top);
@ -7593,6 +7594,7 @@ mjit::Compiler::jsop_in()
            !types->hasObjectFlags(cx, types::OBJECT_FLAG_NON_DENSE_ARRAY) &&
            !types::ArrayPrototypeHasIndexedProperty(cx, outerScript))
        {
+            frame.forgetMismatchedObject(obj);
            bool isPacked = !types->hasObjectFlags(cx, types::OBJECT_FLAG_NON_PACKED_ARRAY);

            if (!obj->isTypeKnown()) {
--- a/js/src/methodjit/FastBuiltins.cpp
+++ b/js/src/methodjit/FastBuiltins.cpp
@ -605,6 +605,9 @@ CompileStatus
 mjit::Compiler::compileArrayConcat(types::TypeSet *thisTypes, types::TypeSet *argTypes,
                                   FrameEntry *thisValue, FrameEntry *argValue)
 {
+    frame.forgetMismatchedObject(thisValue);
+    frame.forgetMismatchedObject(argValue);
+
    /*
     * Require the 'this' types to have a specific type matching the current
     * global, so we can create the result object inline.