Bug 1109911 - Improve robustness of TypedObjectPrediction code, r=nmatsakis.
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/TypedObject/bug1109911.js
@@ -0,0 +1,12 @@
+
+if (typeof TypedObject === "undefined")
+ quit();
+
+var int32x4 = SIMD.int32x4;
+var a = int32x4((4294967295), 200, 300, 400);
+addCase( new Array(Math.pow(2,12)) );
+for ( var arg = "", i = 0; i < Math.pow(2,12); i++ ) {}
+addCase( a );
+function addCase(object) {
+ object.length
+}
--- a/js/src/jit/TypedObjectPrediction.cpp
+++ b/js/src/jit/TypedObjectPrediction.cpp
@@ -131,29 +131,30 @@ TypedObjectPrediction::ofArrayKind() con
}
bool
TypedObjectPrediction::hasKnownSize(int32_t *out) const
{
switch (predictionKind()) {
case TypedObjectPrediction::Empty:
case TypedObjectPrediction::Inconsistent:
- break;
+ return false;
case TypedObjectPrediction::Descr:
*out = descr().size();
return true;
case TypedObjectPrediction::Prefix:
// We only know a prefix of the struct fields, hence we do not
// know its complete size.
return false;
+
+ default:
+ MOZ_CRASH("Bad prediction kind");
}
-
- MOZ_CRASH("Bad prediction kind");
}
const TypedProto *
TypedObjectPrediction::getKnownPrototype() const
{
switch (predictionKind()) {
case TypedObjectPrediction::Empty:
case TypedObjectPrediction::Inconsistent:
@@ -163,19 +164,20 @@ TypedObjectPrediction::getKnownPrototype
if (descr().is<ComplexTypeDescr>())
return &descr().as<ComplexTypeDescr>().instancePrototype();
return nullptr;
case TypedObjectPrediction::Prefix:
// We only know a prefix of the struct fields, hence we cannot
// say for certain what its prototype will be.
return nullptr;
+
+ default:
+ MOZ_CRASH("Bad prediction kind");
}
-
- MOZ_CRASH("Bad prediction kind");
}
template<typename T>
typename T::Type
TypedObjectPrediction::extractType() const
{
MOZ_ASSERT(kind() == T::Kind);
switch (predictionKind()) {
@@ -209,35 +211,37 @@ SimdTypeDescr::Type
TypedObjectPrediction::simdType() const
{
return extractType<SimdTypeDescr>();
}
bool
TypedObjectPrediction::hasKnownArrayLength(int32_t *length) const
{
- MOZ_ASSERT(ofArrayKind());
switch (predictionKind()) {
case TypedObjectPrediction::Empty:
case TypedObjectPrediction::Inconsistent:
- break;
+ return false;
case TypedObjectPrediction::Descr:
// In later patches, this condition will always be true
// so long as this represents an array
if (descr().is<ArrayTypeDescr>()) {
*length = descr().as<ArrayTypeDescr>().length();
return true;
}
return false;
case TypedObjectPrediction::Prefix:
- break; // Prefixes are always structs, never arrays
+ // Prefixes are always structs, never arrays
+ return false;
+
+ default:
+ MOZ_CRASH("Bad prediction kind");
}
- MOZ_CRASH("Bad prediction kind");
}
TypedObjectPrediction
TypedObjectPrediction::arrayElementType() const
{
MOZ_ASSERT(ofArrayKind());
switch (predictionKind()) {
case TypedObjectPrediction::Empty:
@@ -281,22 +285,24 @@ TypedObjectPrediction::hasFieldNamed(jsi
TypedObjectPrediction *fieldType,
size_t *fieldIndex) const
{
MOZ_ASSERT(kind() == type::Struct);
switch (predictionKind()) {
case TypedObjectPrediction::Empty:
case TypedObjectPrediction::Inconsistent:
- break;
+ return false;
case TypedObjectPrediction::Descr:
return hasFieldNamedPrefix(
descr().as<StructTypeDescr>(), ALL_FIELDS,
id, fieldOffset, fieldType, fieldIndex);
case TypedObjectPrediction::Prefix:
return hasFieldNamedPrefix(
*prefix().descr, prefix().fields,
id, fieldOffset, fieldType, fieldIndex);
+
+ default:
+ MOZ_CRASH("Bad prediction kind");
}
- MOZ_CRASH("Bad prediction kind");
}