Bug 980860: Fix fieldName comparison in TypeDescrSet::fieldNamed; r=nmatsakis
authorBenjamin Bouvier <benj@benj.me>
Mon, 10 Mar 2014 15:49:05 +0100
changeset 172752 738dafa8f97fd6366744c32829431ed16475807a
parent 172751 7b8c2a48d08bf8642ee5cc5187b5b65e2ced1e24
child 172782 4501b1da2d2adfebd4a25f50df34e84b525963f7
push id40820
push userbenj@benj.me
push dateMon, 10 Mar 2014 14:49:28 +0000
treeherdermozilla-inbound@738dafa8f97f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnmatsakis
bugs980860
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 980860: Fix fieldName comparison in TypeDescrSet::fieldNamed; r=nmatsakis
js/src/jit-test/tests/ion/bug980960.js
js/src/jit/TypeDescrSet.cpp
js/src/jit/shared/CodeGenerator-x86-shared.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug980960.js
@@ -0,0 +1,34 @@
+if (typeof TypedObject === 'undefined')
+    quit();
+
+var StructType = TypedObject.StructType;
+var uint8 = TypedObject.uint8;
+
+function check(c) {
+  assertEq(c.r, 129);
+}
+
+function run() {
+  var RgbColor = new StructType({r: uint8, g: uint8, b: uint8});
+  var Fade = new StructType({from: RgbColor, to: RgbColor});
+
+  var BrgColor = new StructType({b: uint8, r: uint8, g: uint8});
+  var BrgFade = new StructType({from: BrgColor, to: BrgColor});
+
+  var gray = new RgbColor({r: 129, g: 128, b: 127});
+
+  var fade = new Fade({from: gray, to: gray});
+  fade.to = {r: 129, g: 128, b: 127};
+
+  var brgGray = new BrgColor(gray);
+  fade.from = brgGray;
+
+  var brgFade = new BrgFade(fade);
+
+  check(fade.to);
+  check(brgFade.to);
+  check(fade.to);
+  check(brgFade.to);
+}
+
+run();
--- a/js/src/jit/TypeDescrSet.cpp
+++ b/js/src/jit/TypeDescrSet.cpp
@@ -332,17 +332,17 @@ TypeDescrSet::fieldNamed(IonBuilder &bui
         offset0 = descr0.fieldOffset(index0);
         if (!fieldTypes.insert(&descr0.fieldDescr(index0)))
             return false;
     }
 
     // Check that all subsequent fields are at the same offset
     // and compute the union of their types.
     for (size_t i = 1; i < length(); i++) {
-        StructTypeDescr &descri = get(0)->as<StructTypeDescr>();
+        StructTypeDescr &descri = get(i)->as<StructTypeDescr>();
 
         size_t indexi;
         if (!descri.fieldIndex(id, &indexi))
             return true;
 
         // Track whether all indices agree, but do not require it to be true
         if (indexi != index0)
             index0 = SIZE_MAX;
--- a/js/src/jit/shared/CodeGenerator-x86-shared.cpp
+++ b/js/src/jit/shared/CodeGenerator-x86-shared.cpp
@@ -446,17 +446,16 @@ CodeGeneratorX86Shared::bailout(LSnapsho
 bool
 CodeGeneratorX86Shared::visitOutOfLineBailout(OutOfLineBailout *ool)
 {
     masm.push(Imm32(ool->snapshot()->snapshotOffset()));
     masm.jmp(&deoptLabel_);
     return true;
 }
 
-
 bool
 CodeGeneratorX86Shared::visitMinMaxD(LMinMaxD *ins)
 {
     FloatRegister first = ToFloatRegister(ins->first());
     FloatRegister second = ToFloatRegister(ins->second());
 #ifdef DEBUG
     FloatRegister output = ToFloatRegister(ins->output());
     JS_ASSERT(first == output);