Bug 929261 - Fix for GetElementIC. r=shu, a=abillings
authorEric Faust <efaustbmo@gmail.com>
Tue, 12 Nov 2013 09:34:10 -0500
changeset 166494 f115afa3759718e84a704e7d3967242146cac06a
parent 166493 eb748b48040248535ee9f1e877d202837522a609
child 166495 2a3c20049190caf7151ef68283a9d80f9ac9761f
push id3066
push userakeybl@mozilla.com
push dateMon, 09 Dec 2013 19:58:46 +0000
treeherdermozilla-beta@a31a0dce83aa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu, abillings
bugs929261
milestone27.0a2
Bug 929261 - Fix for GetElementIC. r=shu, a=abillings
js/src/jit/IonCaches.cpp
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@@ -3167,22 +3167,37 @@ GetElementIC::attachDenseElement(JSConte
     setHasDenseStub();
     return linkAndAttachStub(cx, masm, attacher, ion, "dense array");
 }
 
 /* static */ bool
 GetElementIC::canAttachTypedArrayElement(JSObject *obj, const Value &idval,
                                          TypedOrValueRegister output)
 {
-    if (!obj->is<TypedArrayObject>() ||
-        (!(idval.isInt32()) &&
-         !(idval.isString() && GetIndexFromString(idval.toString()) != UINT32_MAX)))
-    {
+    if (!obj->is<TypedArrayObject>())
+        return false;
+
+    if (!idval.isInt32() && !idval.isString())
         return false;
+
+
+    // Don't emit a stub if the access is out of bounds. We make to make
+    // certain that we monitor the type coming out of the typed array when
+    // we generate the stub. Out of bounds accesses will hit the fallback
+    // path.
+    uint32_t index;
+    if (idval.isInt32()) {
+        index = idval.toInt32();
+    } else {
+        index = GetIndexFromString(idval.toString());
+        if (index == UINT32_MAX)
+            return false;
     }
+    if (index >= obj->as<TypedArrayObject>().length())
+        return false;
 
     // The output register is not yet specialized as a float register, the only
     // way to accept float typed arrays for now is to return a Value type.
     int arrayType = obj->as<TypedArrayObject>().type();
     bool floatOutput = arrayType == ScalarTypeRepresentation::TYPE_FLOAT32 ||
                        arrayType == ScalarTypeRepresentation::TYPE_FLOAT64;
     return !floatOutput || output.hasValue();
 }