mozilla-aurora: changeset 356452:f004cbe6f011a9d20132e57b9030bd70b4236f42

--- a/js/src/jit/BaselineCacheIRCompiler.cpp
+++ b/js/src/jit/BaselineCacheIRCompiler.cpp
@@ -683,16 +683,17 @@ BaselineCacheIRCompiler::emitGuardDOMExp
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     Label done;
     masm.branchTestUndefined(Assembler::Equal, val, &done);
 
+    masm.debugAssertIsObject(val);
     masm.loadPtr(shapeAddr, shapeScratch);
     masm.unboxObject(val, objScratch);
     masm.branchTestObjShape(Assembler::NotEqual, objScratch, shapeScratch, failure->label());
 
     masm.bind(&done);
     return true;
 }

--- a/js/src/jit/IonCacheIRCompiler.cpp
+++ b/js/src/jit/IonCacheIRCompiler.cpp
@@ -877,16 +877,17 @@ IonCacheIRCompiler::emitGuardDOMExpandoM
 
     FailurePath* failure;
     if (!addFailurePath(&failure))
         return false;
 
     Label done;
     masm.branchTestUndefined(Assembler::Equal, val, &done);
 
+    masm.debugAssertIsObject(val);
     masm.unboxObject(val, objScratch);
     masm.branchTestObjShape(Assembler::NotEqual, objScratch, shape, failure->label());
 
     masm.bind(&done);
     return true;
 }
 
 bool

--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -2955,16 +2955,27 @@ MacroAssembler::BranchType::emit(MacroAs
 
 void
 MacroAssembler::BranchGCPtr::emit(MacroAssembler& masm)
 {
     MOZ_ASSERT(isInitialized());
     masm.branchPtr(cond(), reg(), ptr_, jump());
 }
 
+void
+MacroAssembler::debugAssertIsObject(const ValueOperand& val)
+{
+#ifdef DEBUG
+    Label ok;
+    branchTestObject(Assembler::Equal, val, &ok);
+    assumeUnreachable("Expected an object!");
+    bind(&ok);
+#endif
+}
+
 namespace js {
 namespace jit {
 
 #ifdef DEBUG
 template <class RegisterType>
 AutoGenericRegisterScope<RegisterType>::AutoGenericRegisterScope(MacroAssembler& masm, RegisterType reg)
   : RegisterType(reg), masm_(masm)
 {

--- a/js/src/jit/MacroAssembler.h
+++ b/js/src/jit/MacroAssembler.h
@@ -1657,16 +1657,18 @@ class MacroAssembler : public MacroAssem
 
     Register extractString(const Address& address, Register scratch) {
         return extractObject(address, scratch);
     }
     Register extractString(const ValueOperand& value, Register scratch) {
         return extractObject(value, scratch);
     }
 
+    void debugAssertIsObject(const ValueOperand& val);
+
     using MacroAssemblerSpecific::extractTag;
     Register extractTag(const TypedOrValueRegister& reg, Register scratch) {
         if (reg.hasValue())
             return extractTag(reg.valueReg(), scratch);
         mov(ImmWord(MIRTypeToTag(reg.type())), scratch);
         return scratch;
     }

author	Jan de Mooij <jdemooij@mozilla.com>
	Sat, 07 Jan 2017 10:22:12 +0100
changeset 356452	f004cbe6f011a9d20132e57b9030bd70b4236f42
parent 356451	744e3371701b602e027faec7994df5c064879136
child 356453	f9743055774c27b098664b700135b65cf40041f1
push id	10621
push user	jlund@mozilla.com
push date	Mon, 23 Jan 2017 16:02:43 +0000
treeherder	mozilla-aurora@dca7b42e6c67 [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	bz
bugs	965992
milestone	53.0a1

js/src/jit/BaselineCacheIRCompiler.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/jit/IonCacheIRCompiler.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/jit/MacroAssembler.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/jit/MacroAssembler.h		file \| annotate \| diff \| comparison \| revisions