Bug 902744 - Don't inline NewDenseArray intrinsic if length argument isn't known to be int32. (r=nmatsakis)
authorShu-yu Guo <shu@rfrn.org>
Fri, 09 Aug 2013 17:11:44 -0700
changeset 142144 928f0878d1cdef204feaed4e66a8f4baadf09d8f
parent 142143 f5d38a9eb834e378958e845395adc7111b59eb11
child 142145 1adc4b65b54b89dcb9a606057c4a54bc4fdf302d
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersnmatsakis
bugs902744
milestone26.0a1
Bug 902744 - Don't inline NewDenseArray intrinsic if length argument isn't known to be int32. (r=nmatsakis)
js/src/jit/MCallOptimize.cpp
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -1304,16 +1304,18 @@ IonBuilder::inlineNewDenseArrayForParall
     // Create the new parallel array object.  Parallel arrays have specially
     // constructed type objects, so we can only perform the inlining if we
     // already have one of these type objects.
     types::StackTypeSet *returnTypes = getInlineReturnTypeSet();
     if (returnTypes->getKnownTypeTag() != JSVAL_TYPE_OBJECT)
         return InliningStatus_NotInlined;
     if (returnTypes->unknownObject() || returnTypes->getObjectCount() != 1)
         return InliningStatus_NotInlined;
+    if (callInfo.getArg(0)->type() != MIRType_Int32)
+        return InliningStatus_NotInlined;
     types::TypeObject *typeObject = returnTypes->getTypeObject(0);
 
     RootedObject templateObject(cx, NewDenseAllocatedArray(cx, 0, NULL, TenuredObject));
     if (!templateObject)
         return InliningStatus_Error;
     templateObject->setType(typeObject);
 
     callInfo.unwrapArgs();