Bug 989586 - Fix Ion correctness bug when inlining |new Array(x)|. r=bhackett, a=sledru
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 01 Apr 2014 21:19:39 +0200
changeset 183611 37ab641216bdc0be3d6b5fdbdc644c940aa740e1
parent 183610 215560a0451398a65234c9ac68c30bf46ba39a6a
child 183612 cd8fed951743bccf83ed3caae46ff836c9835dbb
push id3419
push userryanvm@gmail.com
push dateWed, 02 Apr 2014 16:42:40 +0000
treeherdermozilla-beta@37ab641216bd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett, sledru
bugs989586
milestone29.0
Bug 989586 - Fix Ion correctness bug when inlining |new Array(x)|. r=bhackett, a=sledru
js/src/jit-test/tests/ion/bug989586.js
js/src/jit/MCallOptimize.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug989586.js
@@ -0,0 +1,15 @@
+function t() {
+    var iter = 0;
+    function a(w) {
+	var a = new Array(w);
+	assertEq(a.length, w);
+    }
+    function r() {
+	a(3);
+	a(4);
+    }
+    for (var i=0; i<100; i++) {
+	r();
+    }
+}
+t();
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -243,16 +243,22 @@ IonBuilder::inlineArray(CallInfo &callIn
         if (!arg->isConstant())
             return InliningStatus_NotInlined;
 
         // Negative lengths generate a RangeError, unhandled by the inline path.
         initLength = arg->toConstant()->value().toInt32();
         if (initLength >= JSObject::NELEMENTS_LIMIT)
             return InliningStatus_NotInlined;
 
+        // Make sure initLength matches the template object's length. This is
+        // not guaranteed to be the case, for instance if we're inlining the
+        // MConstant may come from an outer script.
+        if (initLength != templateObject->as<ArrayObject>().length())
+            return InliningStatus_NotInlined;
+
         if (initLength <= ArrayObject::EagerAllocationMaxLength)
             allocating = MNewArray::NewArray_Allocating;
     }
 
     callInfo.setImplicitlyUsedUnchecked();
 
     types::TemporaryTypeSet::DoubleConversion conversion =
         getInlineReturnTypeSet()->convertDoubleElements(constraints());