Bug 862699, bug 862708 - Fix a couple of fuzz bugs.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 17 Apr 2013 16:56:29 -0600
changeset 140546 ae6a2cf914f7f4b964c9dc265cf3c11e149fb49e
parent 140545 d746d516bf55420ebc686f206164973e2d791913
child 140547 7bc766400b8117129e862eb8b9227d89ea301e18
push id2579
push userakeybl@mozilla.com
push dateMon, 24 Jun 2013 18:52:47 +0000
treeherdermozilla-beta@b69b7de8a05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs862699, 862708
milestone23.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 862699, bug 862708 - Fix a couple of fuzz bugs.
js/src/ion/IonBuilder.cpp
js/src/ion/ParallelArrayAnalysis.cpp
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -5963,17 +5963,17 @@ IonBuilder::propertyReadNeedsTypeBarrier
         object->getFromPrototypes(cx, id, property);
 
     if (!TypeSetIncludes(observed, MIRType_Value, property))
         return true;
 
     // Type information for global objects does not reflect the initial
     // 'undefined' value of variables declared with 'var'. Until the variable
     // is assigned a value other than undefined, a barrier is required.
-    if (property->empty() && name && object->singleton) {
+    if (property->empty() && name && object->singleton && object->singleton->isNative()) {
         Shape *shape = object->singleton->nativeLookup(cx, name);
         if (shape && shape->hasDefaultGetter()) {
             JS_ASSERT(object->singleton->nativeGetSlot(shape->slot()).isUndefined());
             return true;
         }
     }
 
     property->addFreeze(cx);
--- a/js/src/ion/ParallelArrayAnalysis.cpp
+++ b/js/src/ion/ParallelArrayAnalysis.cpp
@@ -724,19 +724,17 @@ ParallelArrayVisitor::insertWriteGuard(M
 // We only support calls to interpreted functions that that have already been
 // Ion compiled. If a function has no IonScript, we bail out. The transitive
 // compilation is done by asking TI for all possible callees at callsites.
 
 static bool
 GetPossibleCallees(JSContext *cx, HandleScript script, jsbytecode *pc,
                    types::StackTypeSet *calleeTypes, MIRGraph &graph)
 {
-    JS_ASSERT(calleeTypes);
-
-    if (calleeTypes->baseFlags() != 0)
+    if (!calleeTypes || calleeTypes->baseFlags() != 0)
         return true;
 
     unsigned objCount = calleeTypes->getObjectCount();
 
     if (objCount == 0)
         return true;
 
     RootedFunction fun(cx);
@@ -789,17 +787,16 @@ ParallelArrayVisitor::visitCall(MCall *i
     }
 
     if (ins->isConstructing()) {
         SpewMIR(ins, "call to unknown constructor");
         return markUnsafe();
     }
 
     types::StackTypeSet *calleeTypes = ins->getFunction()->resultTypeSet();
-    JS_ASSERT(calleeTypes);
 
     RootedScript script(cx_, ins->block()->info().script());
     return GetPossibleCallees(cx_, script, ins->resumePoint()->pc(),
                               calleeTypes, graph_);
 }
 
 /////////////////////////////////////////////////////////////////////////////
 // Stack limit, interrupts