Bug 1404636 part 2 - Add test, asserts. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Fri, 05 Jan 2018 15:15:10 +0100
changeset 397948 bba4a6269557ba7214a09c9c260f83d9a84885e8
parent 397947 d47e642852b17e46c178d26d324b245199e2bc3c
child 397949 804de8550bbd947860e64779da6e6b0f68a68f91
push id98642
push userjandemooij@gmail.com
push dateFri, 05 Jan 2018 14:16:34 +0000
treeherdermozilla-inbound@bba4a6269557 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs1404636
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1404636 part 2 - Add test, asserts. r=bhackett
js/src/jit-test/tests/ion/bug1404636.js
js/src/jit/arm/CodeGenerator-arm.cpp
js/src/jit/x64/CodeGenerator-x64.cpp
js/src/jit/x86/CodeGenerator-x86.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1404636.js
@@ -0,0 +1,6 @@
+x = new Uint32Array(4);
+try {
+    Math.max(Uint32Array.prototype)();
+} catch (e) {}
+x[3] = -1;
+assertEq(x.toString(), "0,0,0,4294967295");
--- a/js/src/jit/arm/CodeGenerator-arm.cpp
+++ b/js/src/jit/arm/CodeGenerator-arm.cpp
@@ -2,16 +2,17 @@
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "jit/arm/CodeGenerator-arm.h"
 
 #include "mozilla/MathAlgorithms.h"
+#include "mozilla/Maybe.h"
 
 #include "jscntxt.h"
 #include "jscompartment.h"
 #include "jsnum.h"
 
 #include "jit/CodeGenerator.h"
 #include "jit/JitCompartment.h"
 #include "jit/JitFrames.h"
@@ -1424,21 +1425,32 @@ CodeGeneratorARM::visitBoxFloatingPoint(
 void
 CodeGeneratorARM::visitUnbox(LUnbox* unbox)
 {
     // Note that for unbox, the type and payload indexes are switched on the
     // inputs.
     MUnbox* mir = unbox->mir();
     Register type = ToRegister(unbox->type());
 
-    ScratchRegisterScope scratch(masm);
-
+    mozilla::Maybe<ScratchRegisterScope> scratch;
+    scratch.emplace(masm);
+
+    JSValueTag tag = MIRTypeToTag(mir->type());
     if (mir->fallible()) {
-        masm.ma_cmp(type, Imm32(MIRTypeToTag(mir->type())), scratch);
+        masm.ma_cmp(type, Imm32(tag), *scratch);
         bailoutIf(Assembler::NotEqual, unbox->snapshot());
+    } else {
+#ifdef DEBUG
+        Label ok;
+        masm.ma_cmp(type, Imm32(tag), *scratch);
+        masm.ma_b(&ok, Assembler::Equal);
+        scratch.reset();
+        masm.assumeUnreachable("Infallible unbox type mismatch");
+        masm.bind(&ok);
+#endif
     }
 }
 
 void
 CodeGeneratorARM::visitDouble(LDouble* ins)
 {
     const LDefinition* out = ins->getDef(0);
     masm.loadConstantDouble(ins->getDouble(), ToFloatRegister(out));
--- a/js/src/jit/x64/CodeGenerator-x64.cpp
+++ b/js/src/jit/x64/CodeGenerator-x64.cpp
@@ -110,16 +110,26 @@ CodeGeneratorX64::visitUnbox(LUnbox* unb
             break;
           case MIRType::Symbol:
             cond = masm.testSymbol(Assembler::NotEqual, value);
             break;
           default:
             MOZ_CRASH("Given MIRType cannot be unboxed.");
         }
         bailoutIf(cond, unbox->snapshot());
+    } else {
+#ifdef DEBUG
+        Operand input = ToOperand(unbox->getOperand(LUnbox::Input));
+        JSValueTag tag = MIRTypeToTag(mir->type());
+        Label ok;
+        masm.splitTag(input, ScratchReg);
+        masm.branch32(Assembler::Equal, ScratchReg, Imm32(tag), &ok);
+        masm.assumeUnreachable("Infallible unbox type mismatch");
+        masm.bind(&ok);
+#endif
     }
 
     Operand input = ToOperand(unbox->getOperand(LUnbox::Input));
     Register result = ToRegister(unbox->output());
     switch (mir->type()) {
       case MIRType::Int32:
         masm.unboxInt32(input, result);
         break;
--- a/js/src/jit/x86/CodeGenerator-x86.cpp
+++ b/js/src/jit/x86/CodeGenerator-x86.cpp
@@ -118,19 +118,27 @@ CodeGeneratorX86::visitBoxFloatingPoint(
 
 void
 CodeGeneratorX86::visitUnbox(LUnbox* unbox)
 {
     // Note that for unbox, the type and payload indexes are switched on the
     // inputs.
     MUnbox* mir = unbox->mir();
 
+    JSValueTag tag = MIRTypeToTag(mir->type());
     if (mir->fallible()) {
-        masm.cmp32(ToOperand(unbox->type()), Imm32(MIRTypeToTag(mir->type())));
+        masm.cmp32(ToOperand(unbox->type()), Imm32(tag));
         bailoutIf(Assembler::NotEqual, unbox->snapshot());
+    } else {
+#ifdef DEBUG
+        Label ok;
+        masm.branch32(Assembler::Equal, ToOperand(unbox->type()), Imm32(tag), &ok);
+        masm.assumeUnreachable("Infallible unbox type mismatch");
+        masm.bind(&ok);
+#endif
     }
 }
 
 void
 CodeGeneratorX86::visitCompareB(LCompareB* lir)
 {
     MCompare* mir = lir->mir();