autoland: changeset 150869:0e58a7a4c393bdd27545c08a19985a95f344a1de

author	Dan Gohman <sunfish@google.com>
	Tue, 15 Oct 2013 20:49:43 -0700
changeset 150869	0e58a7a4c393bdd27545c08a19985a95f344a1de
parent 150868	ea7391a5932319227cafe292122a99e6ae08206a
child 150870	d2a8732eeaef87577751be5a4e41e7761a39ed8a
push id	25469
push user	cbook@mozilla.com
push date	Wed, 16 Oct 2013 10:46:01 +0000
treeherder	autoland@afae5911a1e0 [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	nbp
bugs	925586
milestone	27.0a1
first release with	nightly linux32 423b9c30c73d / 27.0a1 / 20131017030201 / files nightly linux64 423b9c30c73d / 27.0a1 / 20131017030201 / files nightly mac 423b9c30c73d / 27.0a1 / 20131017030201 / files nightly win32 423b9c30c73d / 27.0a1 / 20131017030201 / files nightly win64 423b9c30c73d / 27.0a1 / 20131017030201 / files
last release without	nightly linux32 9f63bbc00527 / 27.0a1 / 20131016030202 / files nightly linux64 9f63bbc00527 / 27.0a1 / 20131016030202 / files nightly mac 9f63bbc00527 / 27.0a1 / 20131016030202 / files nightly win32 9f63bbc00527 / 27.0a1 / 20131016030202 / files nightly win64 9f63bbc00527 / 27.0a1 / 20131016030202 / files

--- a/js/src/jit/IonMacroAssembler.cpp
+++ b/js/src/jit/IonMacroAssembler.cpp
@@ -473,16 +473,20 @@ MacroAssembler::loadFromTypedArray(int a
         load32(src, dest.gpr());
         break;
       case ScalarTypeRepresentation::TYPE_UINT32:
         if (dest.isFloat()) {
             load32(src, temp);
             convertUInt32ToDouble(temp, dest.fpu());
         } else {
             load32(src, dest.gpr());
+
+            // Bail out if the value doesn't fit into a signed int32 value. This
+            // is what allows MLoadTypedArrayElement to have a type() of
+            // MIRType_Int32 for UInt32 array loads.
             test32(dest.gpr(), dest.gpr());
             j(Assembler::Signed, fail);
         }
         break;
       case ScalarTypeRepresentation::TYPE_FLOAT32:
         if (LIRGenerator::allowFloat32Optimizations()) {
             loadFloat(src, dest.fpu());
             canonicalizeFloat(dest.fpu());

--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -1260,28 +1260,29 @@ static Range *GetTypedArrayRange(int typ
     }
 
   return nullptr;
 }
 
 void
 MLoadTypedArrayElement::computeRange()
 {
-    if (Range *range = GetTypedArrayRange(arrayType())) {
-        if (type() == MIRType_Int32 && !range->hasInt32UpperBound())
-            range->extendUInt32ToInt32Min();
-        setRange(range);
-    }
+    // We have an Int32 type and if this is a UInt32 load it may produce a value
+    // outside of our range, but we have a bailout to handle those cases.
+    setRange(GetTypedArrayRange(arrayType()));
 }
 
 void
 MLoadTypedArrayElementStatic::computeRange()
 {
-    if (Range *range = GetTypedArrayRange(typedArray_->type()))
-        setRange(range);
+    // We don't currently use MLoadTypedArrayElementStatic for uint32, so we
+    // don't have to worry about it returning a value outside our type.
+    JS_ASSERT(typedArray_->type() != ScalarTypeRepresentation::TYPE_UINT32);
+
+    setRange(GetTypedArrayRange(typedArray_->type()));
 }
 
 void
 MArrayLength::computeRange()
 {
     // Array lengths can go up to UINT32_MAX, but we only create MArrayLength
     // nodes when the value is known to be int32 (see the
     // OBJECT_FLAG_LENGTH_OVERFLOW flag).

js/src/jit/IonMacroAssembler.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/jit/RangeAnalysis.cpp		file \| annotate \| diff \| comparison \| revisions