Bug 1102329 - Fix unchecked downcast to JSFunction, r=jandem.
authorBrian Hackett <bhackett1024@gmail.com>
Sat, 22 Nov 2014 11:51:52 -0700
changeset 241322 05b7e79b688e936428dbca959537a2afc517d22e
parent 241321 f2d3a639784f82ebeb064176c84110465b037e2a
child 241323 a5271ded6fff270f4512e4c93747792a9bc6c603
push id4311
push userraliiev@mozilla.com
push dateMon, 12 Jan 2015 19:37:41 +0000
treeherdermozilla-beta@150c9fed433b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1102329
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1102329 - Fix unchecked downcast to JSFunction, r=jandem.
js/src/jit-test/tests/TypedObject/bug1102329.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/TypedObject/bug1102329.js
@@ -0,0 +1,12 @@
+if (typeof TypedObject === "undefined")
+  quit();
+
+A = Array.bind()
+var {
+    StructType
+} = TypedObject
+var A = new StructType({});
+(function() {
+    new A
+    for (var i = 0; i < 9; i++) {}
+})()
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -5086,18 +5086,22 @@ IonBuilder::inlineCalls(CallInfo &callIn
 
             // If there is only 1 remaining case, we can annotate the fallback call
             // with the target information.
             if (dispatch->numCases() + 1 == originals.length()) {
                 for (uint32_t i = 0; i < originals.length(); i++) {
                     if (choiceSet[i])
                         continue;
 
-                    remaining = &targets[i]->as<JSFunction>();
-                    clonedAtCallsite = targets[i] != originals[i];
+                    MOZ_ASSERT(!remaining);
+
+                    if (targets[i]->is<JSFunction>()) {
+                        remaining = &targets[i]->as<JSFunction>();
+                        clonedAtCallsite = targets[i] != originals[i];
+                    }
                     break;
                 }
             }
 
             if (!inlineGenericFallback(remaining, callInfo, dispatchBlock, clonedAtCallsite))
                 return false;
             dispatch->addFallback(current);
         }