[INFER] Don't LICM array lengths in scripts which have had bounds checks fail, bug 651155.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 19 Apr 2011 22:20:43 -0700
changeset 74963 e5efb8c97426a6ebbed4db1bc1239f418b25802a
parent 74962 3538d4d61e0ec1de3c4228073f7aaf39f647881d
child 74964 e2ac5bec56fb81619893dd85021b0a12f8910a02
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs651155
milestone6.0a1
[INFER] Don't LICM array lengths in scripts which have had bounds checks fail, bug 651155.
js/src/jit-test/tests/jaeger/loops/bug651155.js
js/src/methodjit/LoopState.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/loops/bug651155.js
@@ -0,0 +1,6 @@
+ForIn_2();
+function ForIn_2( object ) {
+  PropertyArray=new Array;
+  var PropertyArray = 'Do not assert: !cx->throwing';
+  for ( i in object ) PropertyArray.length-1;
+}
--- a/js/src/methodjit/LoopState.cpp
+++ b/js/src/methodjit/LoopState.cpp
@@ -609,16 +609,19 @@ LoopState::invariantSlots(const FrameEnt
     /* addHoistedCheck should have ensured there is an entry for the slots. */
     JS_NOT_REACHED("Missing invariant slots");
     return NULL;
 }
 
 FrameEntry *
 LoopState::invariantLength(const FrameEntry *obj)
 {
+    if (skipAnalysis || script->failedBoundsCheck)
+        return NULL;
+
     obj = obj->backing();
     uint32 slot = frame.indexOfFe(obj);
 
     for (unsigned i = 0; i < invariantEntries.length(); i++) {
         InvariantEntry &entry = invariantEntries[i];
         if (entry.kind == InvariantEntry::INVARIANT_LENGTH &&
             entry.u.array.arraySlot == slot) {
             FrameEntry *fe = frame.getTemporary(entry.u.array.temporary);