Bug 1265159 - IonMonkey: Throw error when popping from an empty array in MArrayPopShift, r=jandem
authorHannes Verschore <hv1989@gmail.com>
Fri, 22 Apr 2016 11:34:04 -0400
changeset 332435 ebf23fb059f5ab37598ed92ba7901aac9023d708
parent 332434 c23b44faa96925d311e0844b14c8dc468f584f14
child 332436 cd38098913193cc5415fe799d6a146d48690a4e4
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1265159
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1265159 - IonMonkey: Throw error when popping from an empty array in MArrayPopShift, r=jandem
js/src/jit-test/tests/ion/bug1265159.js
js/src/jit/CodeGenerator.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1265159.js
@@ -0,0 +1,17 @@
+
+var thrown = false;
+try {
+    x = [0];
+    for (var i = 0; i < 5; ++i) {
+        if (i == 3)
+            Object.freeze(x);
+        else
+            x.pop();
+    }
+} catch (e) {
+    thrown = true;
+    assertEq(e instanceof TypeError, true);
+}
+
+assertEq(thrown, true);
+
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -8129,16 +8129,27 @@ CodeGenerator::emitArrayPopShift(LInstru
 
     // Test for length != 0. On zero length either take a VM call or generate
     // an undefined value, depending on whether the call is known to produce
     // undefined.
     Label done;
     if (mir->maybeUndefined()) {
         Label notEmpty;
         masm.branchTest32(Assembler::NonZero, lengthTemp, lengthTemp, &notEmpty);
+
+        // According to the spec we need to set the length 0 (which is already 0).
+        // This is observable when the array length is made non-writable.
+        // Handle this case in the OOL. When freezing an unboxed array it is converted
+        // to an normal array.
+        if (mir->unboxedType() == JSVAL_TYPE_MAGIC) {
+            Address elementFlags(elementsTemp, ObjectElements::offsetOfFlags());
+            Imm32 bit(ObjectElements::NONWRITABLE_ARRAY_LENGTH);
+            masm.branchTest32(Assembler::NonZero, elementFlags, bit, ool->entry());
+        }
+
         masm.moveValue(UndefinedValue(), out.valueReg());
         masm.jump(&done);
         masm.bind(&notEmpty);
     } else {
         masm.branchTest32(Assembler::Zero, lengthTemp, lengthTemp, ool->entry());
     }
 
     masm.dec32(&key);