Bug 1029126 - Fix out-of-range assignment warning in typed-object field offset calculation code. r=shu

--HG--
extra : rebase_source : 82c837c60b46a7d7dc52b2ea39c864e5f5c2c18f

js/src/builtin/TypedObject.cpp

@@ -6,6 +6,7 @@
 
 #include "builtin/TypedObject.h"
 
+#include "mozilla/Casting.h"
 #include "mozilla/CheckedInt.h"
 
 #include "jscompartment.h"
@@ -28,6 +29,7 @@
 
 using mozilla::CheckedInt32;
 using mozilla::DebugOnly;
+using mozilla::SafeCast;
 
 using namespace js;
 
@@ -959,6 +961,7 @@ StructMetaTypeDescr::create(JSContext *cx,
                                  JSMSG_TYPEDOBJECT_TOO_BIG);
             return nullptr;
         }
+        MOZ_ASSERT(offset.value() >= 0);
         if (!fieldOffsets.append(Int32Value(offset.value()))) {
             js_ReportOutOfMemory(cx);
             return nullptr;
@@ -1147,13 +1150,13 @@ StructTypeDescr::fieldName(size_t index) const
     return fieldNames.getDenseElement(index).toString()->asAtom();
 }
 
-int32_t
+size_t
 StructTypeDescr::fieldOffset(size_t index) const
 {
     JSObject &fieldOffsets =
         getReservedSlot(JS_DESCR_SLOT_STRUCT_FIELD_OFFSETS).toObject();
     JS_ASSERT(index < fieldOffsets.getDenseInitializedLength());
-    return fieldOffsets.getDenseElement(index).toInt32();
+    return SafeCast<size_t>(fieldOffsets.getDenseElement(index).toInt32());
 }
 
 SizedTypeDescr&

js/src/builtin/TypedObject.h

@@ -507,7 +507,7 @@ class StructTypeDescr : public ComplexTypeDescr
     SizedTypeDescr &fieldDescr(size_t index) const;
 
     // Return the offset of the field at index `index`.
-    int32_t fieldOffset(size_t index) const;
+    size_t fieldOffset(size_t index) const;
 };
 
 typedef Handle<StructTypeDescr*> HandleStructTypeDescr;

js/src/jit/IonBuilder.cpp

@@ -8708,7 +8708,7 @@ IonBuilder::getPropTryTypedObject(bool *emitted,
                                   types::TemporaryTypeSet *resultTypes)
 {
     TypedObjectPrediction fieldPrediction;
-    int32_t fieldOffset;
+    size_t fieldOffset;
     size_t fieldIndex;
     if (!typedObjectHasField(obj, name, &fieldOffset, &fieldPrediction, &fieldIndex))
         return true;
@@ -9353,7 +9353,7 @@ IonBuilder::setPropTryTypedObject(bool *emitted, MDefinition *obj,
                                   PropertyName *name, MDefinition *value)
 {
     TypedObjectPrediction fieldPrediction;
-    int32_t fieldOffset;
+    size_t fieldOffset;
     size_t fieldIndex;
     if (!typedObjectHasField(obj, name, &fieldOffset, &fieldPrediction, &fieldIndex))
         return true;
@@ -10372,7 +10372,7 @@ IonBuilder::loadTypedObjectElements(MDefinition *typedObj,
 bool
 IonBuilder::typedObjectHasField(MDefinition *typedObj,
                                 PropertyName *name,
-                                int32_t *fieldOffset,
+                                size_t *fieldOffset,
                                 TypedObjectPrediction *fieldPrediction,
                                 size_t *fieldIndex)
 {

js/src/jit/IonBuilder.h

@@ -453,7 +453,7 @@ class IonBuilder : public MIRGenerator
     TypedObjectPrediction typedObjectPrediction(types::TemporaryTypeSet *types);
     bool typedObjectHasField(MDefinition *typedObj,
                              PropertyName *name,
-                             int32_t *fieldOffset,
+                             size_t *fieldOffset,
                              TypedObjectPrediction *fieldTypeReprs,
                              size_t *fieldIndex);
     MDefinition *loadTypedObjectType(MDefinition *value);

js/src/jit/TypedObjectPrediction.cpp

@@ -323,16 +323,10 @@ bool
 TypedObjectPrediction::hasFieldNamedPrefix(const StructTypeDescr &descr,
                                            size_t fieldCount,
                                            jsid id,
-                                           int32_t *offset,
+                                           size_t *fieldOffset,
                                            TypedObjectPrediction *out,
                                            size_t *index) const
 {
-    // Initialize |*offset| and |*out| for the case where incompatible
-    // or absent fields are found.
-    *offset = SIZE_MAX;
-    *index = SIZE_MAX;
-    *out = TypedObjectPrediction();
-
     // Find the index of the field |id| if any.
     if (!descr.fieldIndex(id, index))
         return false;
@@ -342,14 +336,14 @@ TypedObjectPrediction::hasFieldNamedPrefix(const StructTypeDescr &descr,
         return false;
 
     // Load the offset and type.
-    *offset = descr.fieldOffset(*index);
+    *fieldOffset = descr.fieldOffset(*index);
     *out = TypedObjectPrediction(descr.fieldDescr(*index));
     return true;
 }
 
 bool
 TypedObjectPrediction::hasFieldNamed(jsid id,
-                                     int32_t *fieldOffset,
+                                     size_t *fieldOffset,
                                      TypedObjectPrediction *fieldType,
                                      size_t *fieldIndex) const
 {

js/src/jit/TypedObjectPrediction.h

@@ -136,7 +136,7 @@ class TypedObjectPrediction {
     bool hasFieldNamedPrefix(const StructTypeDescr &descr,
                              size_t fieldCount,
                              jsid id,
-                             int32_t *offset,
+                             size_t *fieldOffset,
                              TypedObjectPrediction *out,
                              size_t *index) const;
 
@@ -222,7 +222,7 @@ class TypedObjectPrediction {
     // the offset (in bytes), type, and index of the field
     // respectively.  Otherwise returns false.
     bool hasFieldNamed(jsid id,
-                       int32_t *fieldOffset,
+                       size_t *fieldOffset,
                        TypedObjectPrediction *fieldType,
                        size_t *fieldIndex) const;
 };