[INFER] Don't LICM array lengths in scripts which have had bounds checks fail, bug 651155.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 19 Apr 2011 22:20:43 -0700
changeset 75733 e5efb8c97426a6ebbed4db1bc1239f418b25802a
parent 75732 3538d4d61e0ec1de3c4228073f7aaf39f647881d
child 75734 e2ac5bec56fb81619893dd85021b0a12f8910a02
push id235
push userbzbarsky@mozilla.com
push dateTue, 27 Sep 2011 17:13:04 +0000
treeherdermozilla-beta@2d1e082d176a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs651155
milestone6.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
[INFER] Don't LICM array lengths in scripts which have had bounds checks fail, bug 651155.
js/src/jit-test/tests/jaeger/loops/bug651155.js
js/src/methodjit/LoopState.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/loops/bug651155.js
@@ -0,0 +1,6 @@
+ForIn_2();
+function ForIn_2( object ) {
+  PropertyArray=new Array;
+  var PropertyArray = 'Do not assert: !cx->throwing';
+  for ( i in object ) PropertyArray.length-1;
+}
--- a/js/src/methodjit/LoopState.cpp
+++ b/js/src/methodjit/LoopState.cpp
@@ -609,16 +609,19 @@ LoopState::invariantSlots(const FrameEnt
     /* addHoistedCheck should have ensured there is an entry for the slots. */
     JS_NOT_REACHED("Missing invariant slots");
     return NULL;
 }
 
 FrameEntry *
 LoopState::invariantLength(const FrameEntry *obj)
 {
+    if (skipAnalysis || script->failedBoundsCheck)
+        return NULL;
+
     obj = obj->backing();
     uint32 slot = frame.indexOfFe(obj);
 
     for (unsigned i = 0; i < invariantEntries.length(); i++) {
         InvariantEntry &entry = invariantEntries[i];
         if (entry.kind == InvariantEntry::INVARIANT_LENGTH &&
             entry.u.array.arraySlot == slot) {
             FrameEntry *fe = frame.getTemporary(entry.u.array.temporary);