Bug 1473523 - Don't attach SetDenseElement IC when a typed array is on the proto chain. r=anba
authorTom Schuster <evilpies@gmail.com>
Thu, 19 Jul 2018 22:05:05 +0200
changeset 429714 8e4a266f45fd08a3a6bc0d5153ba37abc6cbdacd
parent 429713 02beb82e0e1fc1143d73cf7d7be94a426e12eb58
child 429715 33332d4bb2d7510cecfd069c7c8b6e0ef0f1fd04
push id34372
push usernerli@mozilla.com
push dateThu, 02 Aug 2018 08:55:28 +0000
treeherdermozilla-central@bd79b07f57a3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba
bugs1473523
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1473523 - Don't attach SetDenseElement IC when a typed array is on the proto chain. r=anba
js/src/jit-test/tests/cacheir/typedarray-set.js
js/src/jit/CacheIR.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/cacheir/typedarray-set.js
@@ -0,0 +1,29 @@
+// Based on work by André Bargull
+
+function f() {
+    var x = [1,2,3];
+    x[3] = 0xff;
+
+    // Should have been defined on typed array.
+    assertEq(x.length, 3);
+    assertEq(x[3], -1);
+
+    x[3] = 0;
+}
+
+Object.setPrototypeOf(Array.prototype, new Int8Array(4));
+f();
+f();
+
+function g() {
+    var x = [1,2,3,4];
+    x[4] = 0xff;
+
+    // OOB [[Set]] should have been ignored
+    assertEq(x.length, 4);
+    assertEq(x[4], undefined);
+}
+
+Object.setPrototypeOf(Array.prototype, new Int8Array(4));
+g();
+g();
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -3591,16 +3591,20 @@ CanAttachAddElement(NativeObject* obj, b
 
         JSObject* proto = obj->staticPrototype();
         if (!proto)
             break;
 
         if (!proto->isNative())
             return false;
 
+        // TypedArrayObjects [[Set]] has special behavior.
+        if (proto->is<TypedArrayObject>())
+            return false;
+
         // We have to make sure the proto has no non-writable (frozen) elements
         // because we're not allowed to shadow them. There are a few cases to
         // consider:
         //
         // * If the proto is extensible, its Shape will change when it's made
         //   non-extensible.
         //
         // * If the proto is already non-extensible, no new elements will be