From 9d91cd346ad59fd9a312f0a000ba73d558648c26 Mon Sep 17 00:00:00 2001 From: Brian Hackett Date: Sat, 14 May 2011 07:39:42 -0700 Subject: [PATCH] [INFER] Use initialized length instead of capacity in Array.join optimization, bug 655769. --- js/src/jsarray.cpp | 4 ++-- js/src/methodjit/Compiler.cpp | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 1d6b921d0e8..469250dcf03 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -1405,9 +1405,9 @@ array_toString_sub(JSContext *cx, JSObject *obj, JSBool locale, StringBuffer sb(cx); if (!locale && !seplen && obj->isDenseArray() && !js_PrototypeHasIndexedProperties(cx, obj)) { - /* Elements beyond 'capacity' are 'undefined' and thus can be ignored. */ + /* Elements beyond the initialized length are 'undefined' and thus can be ignored. */ Value *beg = obj->getDenseArrayElements(); - Value *end = beg + Min(length, obj->getDenseArrayCapacity()); + Value *end = beg + Min(length, obj->getDenseArrayInitializedLength()); for (Value *vp = beg; vp != end; ++vp) { if (!JS_CHECK_OPERATION_LIMIT(cx)) return false; diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp index 2d5d6bf02fe..596eb9ccae9 100644 --- a/js/src/methodjit/Compiler.cpp +++ b/js/src/methodjit/Compiler.cpp @@ -2200,7 +2200,7 @@ mjit::Compiler::generateMethod() */ if (cx->typeInferenceEnabled()) { uint32 slot = ArgSlot(GET_SLOTNO(PC)); - if (a->varTypes[slot].type == JSVAL_TYPE_DOUBLE && analysis->trackSlot(slot)) + if (analysis->trackSlot(slot) && a->varTypes[slot].type == JSVAL_TYPE_DOUBLE) frame.ensureDouble(frame.getArg(GET_SLOTNO(PC))); } @@ -2228,7 +2228,7 @@ mjit::Compiler::generateMethod() if (cx->typeInferenceEnabled()) { uint32 slot = LocalSlot(script, GET_SLOTNO(PC)); - if (a->varTypes[slot].type == JSVAL_TYPE_DOUBLE && analysis->trackSlot(slot)) + if (analysis->trackSlot(slot) && a->varTypes[slot].type == JSVAL_TYPE_DOUBLE) frame.ensureDouble(frame.getLocal(GET_SLOTNO(PC))); }