Bug 1109911 - Improve robustness of TypedObjectPrediction code, r=nmatsakis.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 07 Jan 2015 10:35:07 -0700
changeset 248348 180ffdfd2d27a68c45f712b3673203bbe8622ad4
parent 248347 3d2cbf625d1cff443957dca61e85a78917b5dc56
child 248349 63f90f467985969860d5c30fd9df0cfd07560477
push id4489
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 15:17:55 +0000
treeherdermozilla-beta@fd7c3dc24146 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnmatsakis
bugs1109911
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1109911 - Improve robustness of TypedObjectPrediction code, r=nmatsakis.
js/src/jit-test/tests/TypedObject/bug1109911.js
js/src/jit/TypedObjectPrediction.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/TypedObject/bug1109911.js
@@ -0,0 +1,12 @@
+
+if (typeof TypedObject === "undefined")
+  quit();
+
+var int32x4 = SIMD.int32x4;
+var a = int32x4((4294967295), 200, 300, 400);
+addCase( new Array(Math.pow(2,12)) );
+for ( var arg = "", i = 0; i < Math.pow(2,12); i++ ) {}
+addCase( a );
+function addCase(object) {
+  object.length 
+}
--- a/js/src/jit/TypedObjectPrediction.cpp
+++ b/js/src/jit/TypedObjectPrediction.cpp
@@ -131,29 +131,30 @@ TypedObjectPrediction::ofArrayKind() con
 }
 
 bool
 TypedObjectPrediction::hasKnownSize(int32_t *out) const
 {
     switch (predictionKind()) {
       case TypedObjectPrediction::Empty:
       case TypedObjectPrediction::Inconsistent:
-        break;
+        return false;
 
       case TypedObjectPrediction::Descr:
         *out = descr().size();
         return true;
 
       case TypedObjectPrediction::Prefix:
         // We only know a prefix of the struct fields, hence we do not
         // know its complete size.
         return false;
+
+      default:
+        MOZ_CRASH("Bad prediction kind");
     }
-
-    MOZ_CRASH("Bad prediction kind");
 }
 
 const TypedProto *
 TypedObjectPrediction::getKnownPrototype() const
 {
     switch (predictionKind()) {
       case TypedObjectPrediction::Empty:
       case TypedObjectPrediction::Inconsistent:
@@ -163,19 +164,20 @@ TypedObjectPrediction::getKnownPrototype
         if (descr().is<ComplexTypeDescr>())
             return &descr().as<ComplexTypeDescr>().instancePrototype();
         return nullptr;
 
       case TypedObjectPrediction::Prefix:
         // We only know a prefix of the struct fields, hence we cannot
         // say for certain what its prototype will be.
         return nullptr;
+
+      default:
+        MOZ_CRASH("Bad prediction kind");
     }
-
-    MOZ_CRASH("Bad prediction kind");
 }
 
 template<typename T>
 typename T::Type
 TypedObjectPrediction::extractType() const
 {
     MOZ_ASSERT(kind() == T::Kind);
     switch (predictionKind()) {
@@ -209,35 +211,37 @@ SimdTypeDescr::Type
 TypedObjectPrediction::simdType() const
 {
     return extractType<SimdTypeDescr>();
 }
 
 bool
 TypedObjectPrediction::hasKnownArrayLength(int32_t *length) const
 {
-    MOZ_ASSERT(ofArrayKind());
     switch (predictionKind()) {
       case TypedObjectPrediction::Empty:
       case TypedObjectPrediction::Inconsistent:
-        break;
+        return false;
 
       case TypedObjectPrediction::Descr:
         // In later patches, this condition will always be true
         // so long as this represents an array
         if (descr().is<ArrayTypeDescr>()) {
             *length = descr().as<ArrayTypeDescr>().length();
             return true;
         }
         return false;
 
       case TypedObjectPrediction::Prefix:
-        break; // Prefixes are always structs, never arrays
+        // Prefixes are always structs, never arrays
+        return false;
+
+      default:
+        MOZ_CRASH("Bad prediction kind");
     }
-    MOZ_CRASH("Bad prediction kind");
 }
 
 TypedObjectPrediction
 TypedObjectPrediction::arrayElementType() const
 {
     MOZ_ASSERT(ofArrayKind());
     switch (predictionKind()) {
       case TypedObjectPrediction::Empty:
@@ -281,22 +285,24 @@ TypedObjectPrediction::hasFieldNamed(jsi
                                      TypedObjectPrediction *fieldType,
                                      size_t *fieldIndex) const
 {
     MOZ_ASSERT(kind() == type::Struct);
 
     switch (predictionKind()) {
       case TypedObjectPrediction::Empty:
       case TypedObjectPrediction::Inconsistent:
-        break;
+        return false;
 
       case TypedObjectPrediction::Descr:
         return hasFieldNamedPrefix(
             descr().as<StructTypeDescr>(), ALL_FIELDS,
             id, fieldOffset, fieldType, fieldIndex);
 
       case TypedObjectPrediction::Prefix:
         return hasFieldNamedPrefix(
             *prefix().descr, prefix().fields,
             id, fieldOffset, fieldType, fieldIndex);
+
+      default:
+        MOZ_CRASH("Bad prediction kind");
     }
-    MOZ_CRASH("Bad prediction kind");
 }