Bug 932530 - Check return of getType in more places; r=djvj
authorTerrence Cole <terrence@mozilla.com>
Tue, 05 Nov 2013 10:03:24 -0800
changeset 168222 208198d2bbddfe9ae5896ee2ae912a1c6239e26c
parent 168202 58d7c1291d4c8b997df417dcb413e80d0be3d48e
child 168223 979b83683ca7a9d21997a154b1dfe65b2d7ebad1
push id3224
push userlsblakk@mozilla.com
push dateTue, 04 Feb 2014 01:06:49 +0000
treeherdermozilla-beta@60c04d0987f1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdjvj
bugs932530
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 932530 - Check return of getType in more places; r=djvj
js/src/jit/BaselineIC.cpp
js/src/jit/BaselineIC.h
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -4725,18 +4725,20 @@ DoSetElemFallback(JSContext *cx, Baselin
         JS_ASSERT(!obj->is<TypedArrayObject>());
 
         bool addingCase;
         size_t protoDepth;
 
         if (CanOptimizeDenseSetElem(cx, obj, index.toInt32(), oldShape, oldCapacity, oldInitLength,
                                     &addingCase, &protoDepth))
         {
+            RootedShape shape(cx, obj->lastProperty());
             RootedTypeObject type(cx, obj->getType(cx));
-            RootedShape shape(cx, obj->lastProperty());
+            if (!type)
+                return false;
 
             if (addingCase && !DenseSetElemStubExists(cx, ICStub::SetElem_DenseAdd, stub, obj)) {
                 IonSpew(IonSpew_BaselineIC,
                         "  Generating SetElem_DenseAdd stub "
                         "(shape=%p, type=%p, protoDepth=%u)",
                         obj->lastProperty(), type.get(), protoDepth);
                 ICSetElemDenseAddCompiler compiler(cx, obj, protoDepth);
                 ICUpdatedStub *denseStub = compiler.getStub(compiler.getStubSpace(script));
@@ -9323,16 +9325,19 @@ ICSetProp_Native::ICSetProp_Native(IonCo
     shape_(shape),
     offset_(offset)
 { }
 
 ICUpdatedStub *
 ICSetProp_Native::Compiler::getStub(ICStubSpace *space)
 {
     RootedTypeObject type(cx, obj_->getType(cx));
+    if (!type)
+        return nullptr;
+
     RootedShape shape(cx, obj_->lastProperty());
     ICUpdatedStub *stub = ICSetProp_Native::New(space, getStubCode(), type, shape, offset_);
     if (!stub || !stub->initUpdatingChain(cx, space))
         return nullptr;
     return stub;
 }
 
 ICSetProp_NativeAdd::ICSetProp_NativeAdd(IonCode *stubCode, HandleTypeObject type,
--- a/js/src/jit/BaselineIC.h
+++ b/js/src/jit/BaselineIC.h
@@ -4946,16 +4946,19 @@ class ICSetPropNativeAddCompiler : publi
   public:
     ICSetPropNativeAddCompiler(JSContext *cx, HandleObject obj, HandleShape oldShape,
                                size_t protoChainDepth, bool isFixedSlot, uint32_t offset);
 
     template <size_t ProtoChainDepth>
     ICUpdatedStub *getStubSpecific(ICStubSpace *space, const AutoShapeVector *shapes)
     {
         RootedTypeObject type(cx, obj_->getType(cx));
+        if (!type)
+            return nullptr;
+
         RootedShape newShape(cx, obj_->lastProperty());
 
         return ICSetProp_NativeAddImpl<ProtoChainDepth>::New(
                     space, getStubCode(), type, shapes, newShape, offset_);
     }
 
     ICUpdatedStub *getStub(ICStubSpace *space);
 };