Bug 1148970 - Check for possibly incomplete type sets when double checking the correctness of argument type set information, r=jandem.
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -3530,16 +3530,28 @@ CodeGenerator::generateArgumentsChecks(b
if (miss.used()) {
if (bailout) {
bailoutFrom(&miss, graph.entrySnapshot());
} else {
Label success;
masm.jump(&success);
masm.bind(&miss);
+
+ // Check for cases where the type set guard might have missed due to
+ // changing object groups.
+ for (uint32_t i = info.startArgSlot(); i < info.endArgSlot(); i++) {
+ Label skip;
+ Address addr(StackPointer, ArgToStackOffset((i - info.startArgSlot()) * sizeof(Value)));
+ masm.branchTestObject(Assembler::NotEqual, addr, &skip);
+ Register obj = masm.extractObject(addr, temp);
+ masm.guardTypeSetMightBeIncomplete(obj, temp, &success);
+ masm.bind(&skip);
+ }
+
masm.assumeUnreachable("Argument check fail.");
masm.bind(&success);
}
}
}
// Out-of-line path to report over-recursed error and fail.
class CheckOverRecursedFailure : public OutOfLineCodeBase<CodeGenerator>