Attachment #8914331: Part 1 - Fix for bug #1404636

View | Details | Raw Unified | Return to bug 1404636
Collapse All | Expand All

(-)a/js/src/jit/IonBuilder.cpp (-26 lines)
Line     Link Here 
 Lines 7790-7808   IonBuilder::getElemTryTypedObject(bool* Link Here 
7790 
                                                    index,
 7790 
                                                    index,
7791 
                                                    objPrediction,
 7791 
                                                    objPrediction,
7792 
                                                    elemPrediction);
 7792 
                                                    elemPrediction);
7793 
    }
 7793 
    }
7794 

7794






7795

    MOZ_CRASH("Bad kind");

7795

    MOZ_CRASH("Bad kind");





7796

}

7796

}





7797


7797






7798

static MIRType







7799

MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble);





7800






7801

bool

7798

bool





7802

IonBuilder::checkTypedObjectIndexInBounds(uint32_t elemSize,

7799

IonBuilder::checkTypedObjectIndexInBounds(uint32_t elemSize,





7803

                                          MDefinition* obj,

7800

                                          MDefinition* obj,





7804

                                          MDefinition* index,

7801

                                          MDefinition* index,





7805

                                          TypedObjectPrediction objPrediction,

7802

                                          TypedObjectPrediction objPrediction,





7806

                                          LinearSum* indexAsByteOffset)

7803

                                          LinearSum* indexAsByteOffset)





7807

{

7804

{





7808

    // Ensure index is an integer.

7805

    // Ensure index is an integer.









 Lines 8748-8786
  IonBuilder::convertShiftToMaskForStaticT

Link Here 






8748

    MOZ_ASSERT(!ptr->isEffectful());

8745

    MOZ_ASSERT(!ptr->isEffectful());





8749


8746






8750

    current->add(mask);

8747

    current->add(mask);





8751

    current->add(ptr);

8748

    current->add(ptr);





8752


8749






8753

    return ptr;

8750

    return ptr;





8754

}

8751

}





8755


8752






8756

static MIRType







8757

MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble)





8758

{





8759

    switch (arrayType) {





8760

      case Scalar::Int8:





8761

      case Scalar::Uint8:





8762

      case Scalar::Uint8Clamped:





8763

      case Scalar::Int16:





8764

      case Scalar::Uint16:





8765

      case Scalar::Int32:





8766

        return MIRType::Int32;





8767

      case Scalar::Uint32:





8768

        return observedDouble ? MIRType::Double : MIRType::Int32;





8769

      case Scalar::Float32:





8770

        return MIRType::Float32;





8771

      case Scalar::Float64:





8772

        return MIRType::Double;





8773

      default:





8774

        break;





8775

    }





8776

    MOZ_CRASH("Unknown typed array type");





8777

}





8778






8779

AbortReasonOr<Ok>

8753

AbortReasonOr<Ok>





8780

IonBuilder::jsop_getelem_typed(MDefinition* obj, MDefinition* index,

8754

IonBuilder::jsop_getelem_typed(MDefinition* obj, MDefinition* index,





8781

                               Scalar::Type arrayType)

8755

                               Scalar::Type arrayType)





8782

{

8756

{





8783

    TemporaryTypeSet* types = bytecodeTypes(pc);

8757

    TemporaryTypeSet* types = bytecodeTypes(pc);





8784


8758






8785

    bool maybeUndefined = types->hasType(TypeSet::UndefinedType());

8759

    bool maybeUndefined = types->hasType(TypeSet::UndefinedType());





8786


8760





(-)a/js/src/jit/MIR.cpp
(+8 lines)









Line 
  

Link Here 










 Lines 6188-6203
  PropertyReadNeedsTypeBarrier(CompilerCon

Link Here 






6188

    // We also need a barrier if the object is a proxy, because then all bets

6188

    // We also need a barrier if the object is a proxy, because then all bets





6189

    // are off, just as if it has unknown properties.

6189

    // are off, just as if it has unknown properties.





6190

    if (key->unknownProperties() || observed->empty() ||

6190

    if (key->unknownProperties() || observed->empty() ||





6191

        key->clasp()->isProxy())

6191

        key->clasp()->isProxy())





6192

    {

6192

    {





6193

        return BarrierKind::TypeSet;

6193

        return BarrierKind::TypeSet;





6194

    }

6194

    }





6195


6195








6196

    if (!name && IsTypedArrayClass(key->clasp())) {





6197

        Scalar::Type arrayType = Scalar::Type(key->clasp() - &TypedArrayObject::classes[0]);





6198

        MIRType type = MIRTypeForTypedArrayRead(arrayType, true);





6199

        if (observed->mightBeMIRType(type))





6200

            return BarrierKind::NoBarrier;





6201

        return BarrierKind::TypeSet;





6202

    }





6203






6196

    jsid id = name ? NameToId(name) : JSID_VOID;

6204

    jsid id = name ? NameToId(name) : JSID_VOID;





6197

    HeapTypeSetKey property = key->property(id);

6205

    HeapTypeSetKey property = key->property(id);





6198

    if (property.maybeTypes()) {

6206

    if (property.maybeTypes()) {





6199

        if (!TypeSetIncludes(observed, MIRType::Value, property.maybeTypes())) {

6207

        if (!TypeSetIncludes(observed, MIRType::Value, property.maybeTypes())) {





6200

            // If all possible objects have been observed, we don't have to

6208

            // If all possible objects have been observed, we don't have to





6201

            // guard on the specific object types.

6209

            // guard on the specific object types.





6202

            if (property.maybeTypes()->objectsAreSubset(observed)) {

6210

            if (property.maybeTypes()->objectsAreSubset(observed)) {





6203

                property.freeze(constraints);

6211

                property.freeze(constraints);




(-)a/js/src/jit/MIR.h
(+23 lines)









Line 
  

Link Here 










 Lines 14951-14966
  bool PropertyWriteNeedsTypeBarrier(TempA

Link Here 






14951

                                   MBasicBlock* current, MDefinition** pobj,

14951

                                   MBasicBlock* current, MDefinition** pobj,





14952

                                   PropertyName* name, MDefinition** pvalue,

14952

                                   PropertyName* name, MDefinition** pvalue,





14953

                                   bool canModify, MIRType implicitType = MIRType::None);

14953

                                   bool canModify, MIRType implicitType = MIRType::None);





14954

AbortReasonOr<bool>

14954

AbortReasonOr<bool>





14955

ArrayPrototypeHasIndexedProperty(IonBuilder* builder, JSScript* script);

14955

ArrayPrototypeHasIndexedProperty(IonBuilder* builder, JSScript* script);





14956

AbortReasonOr<bool>

14956

AbortReasonOr<bool>





14957

TypeCanHaveExtraIndexedProperties(IonBuilder* builder, TemporaryTypeSet* types);

14957

TypeCanHaveExtraIndexedProperties(IonBuilder* builder, TemporaryTypeSet* types);





14958


14958








14959

inline MIRType





14960

MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble)





14961

{





14962

    switch (arrayType) {





14963

      case Scalar::Int8:





14964

      case Scalar::Uint8:





14965

      case Scalar::Uint8Clamped:





14966

      case Scalar::Int16:





14967

      case Scalar::Uint16:





14968

      case Scalar::Int32:





14969

        return MIRType::Int32;





14970

      case Scalar::Uint32:





14971

        return observedDouble ? MIRType::Double : MIRType::Int32;





14972

      case Scalar::Float32:





14973

        return MIRType::Float32;





14974

      case Scalar::Float64:





14975

        return MIRType::Double;





14976

      default:





14977

        break;





14978

    }





14979

    MOZ_CRASH("Unknown typed array type");





14980

}





14981






14959

} // namespace jit

14982

} // namespace jit





14960

} // namespace js

14983

} // namespace js





14961


14984






14962

// Specialize the AlignmentFinder class to make Result<V, E> works with abstract

14985

// Specialize the AlignmentFinder class to make Result<V, E> works with abstract





14963

// classes such as MDefinition*, and MInstruction*

14986

// classes such as MDefinition*, and MInstruction*





14964

namespace mozilla

14987

namespace mozilla





14965

{

14988

{





14966


14989








Return to bug 1404636