Bug 1090583 - Fix a pre-existing issue with MLoadElementHole and negative index checks. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 10 Mar 2015 13:14:42 +0100
changeset 261598 f785209f088d284ad5d6c0e68dbc3c0a4e9cc6ff
parent 261597 9fdbd96edb91bcedb7bbbccfa0f10cddf8dd48be
child 261599 a18952b215c8a5318e5eca5c9df3fdcd95e34ec3
push id4718
push userraliiev@mozilla.com
push dateMon, 11 May 2015 18:39:53 +0000
treeherdermozilla-beta@c20c4ef55f08 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs1090583
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1090583 - Fix a pre-existing issue with MLoadElementHole and negative index checks. r=bhackett
js/src/jit/MIR.h
js/src/jit/RangeAnalysis.cpp
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -8194,16 +8194,22 @@ class MLoadElementHole
 
     MLoadElementHole(MDefinition *elements, MDefinition *index, MDefinition *initLength, bool needsHoleCheck)
       : MTernaryInstruction(elements, index, initLength),
         needsNegativeIntCheck_(true),
         needsHoleCheck_(needsHoleCheck)
     {
         setResultType(MIRType_Value);
         setMovable();
+
+        // Set the guard flag to make sure we bail when we see a negative
+        // index. We can clear this flag (and needsNegativeIntCheck_) in
+        // collectRangeInfoPreTrunc.
+        setGuard();
+
         MOZ_ASSERT(elements->type() == MIRType_Elements);
         MOZ_ASSERT(index->type() == MIRType_Int32);
         MOZ_ASSERT(initLength->type() == MIRType_Int32);
     }
 
   public:
     INSTRUCTION_HEADER(LoadElementHole)
 
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -3056,18 +3056,20 @@ MInArray::collectRangeInfoPreTrunc()
     if (indexRange.isFiniteNonNegative())
         needsNegativeIntCheck_ = false;
 }
 
 void
 MLoadElementHole::collectRangeInfoPreTrunc()
 {
     Range indexRange(index());
-    if (indexRange.isFiniteNonNegative())
+    if (indexRange.isFiniteNonNegative()) {
         needsNegativeIntCheck_ = false;
+        setNotGuard();
+    }
 }
 
 void
 MLoadTypedArrayElementStatic::collectRangeInfoPreTrunc()
 {
     Range range(ptr());
 
     if (range.hasInt32LowerBound() && range.hasInt32UpperBound()) {