Bug 1330662 - IonMonkey: Don't check the size of a zero TypedArrayObject when not used. r=jandem, a=gchang
authorHannes Verschore <hv1989@gmail.com>
Mon, 16 Jan 2017 12:46:48 +0100
changeset 353645 a66dd0e983f270e62cb78c748905e08f2f21fce1
parent 353644 1698410cc121e47e714c13936853d47f43d2841c
child 353646 3cfe2b9f1e9447f4c9a8af911f5d58f18d63a94b
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, gchang
bugs1330662
milestone52.0a2
Bug 1330662 - IonMonkey: Don't check the size of a zero TypedArrayObject when not used. r=jandem, a=gchang
js/src/jit-test/tests/ion/bug1330662.js
js/src/vm/TypedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1330662.js
@@ -0,0 +1,5 @@
+
+for (i=0;i<10000;++i) {
+    a = inIon() ? 0 : 300;
+    buf = new Uint8ClampedArray(a);
+}
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -157,16 +157,21 @@ TypedArrayObject::trace(JSTracer* trc, J
 }
 
 void
 TypedArrayObject::finalize(FreeOp* fop, JSObject* obj)
 {
     MOZ_ASSERT(!IsInsideNursery(obj));
     TypedArrayObject* curObj = &obj->as<TypedArrayObject>();
 
+    // Template objects or discarded objects (which didn't have enough room
+    // for inner elements). Don't have anything to free.
+    if (!curObj->elementsRaw())
+        return;
+
     curObj->assertZeroLengthArrayData();
 
     // Typed arrays with a buffer object do not need to be free'd
     if (curObj->hasBuffer())
         return;
 
     // Free the data slot pointer if it does not point into the old JSObject.
     if (!curObj->hasInlineElements())