Bug 1415119 - Support out-of-bounds indexes in PostWriteElementBarrier. r=jonco
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 08 Nov 2017 09:21:27 +0100
changeset 443975 8b64b1c8347b77450b44135ab1fe713caf79a4d6
parent 443973 c376bb034ca65153a99e06ddd5dd9e69885823a1
child 443976 dcf5bf004564e60942528edb3d1017d04cea479a
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonco
bugs1415119
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1415119 - Support out-of-bounds indexes in PostWriteElementBarrier. r=jonco
js/src/jit/MCallOptimize.cpp
js/src/jit/VMFunctions.cpp
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -853,18 +853,23 @@ IonBuilder::inlineArrayPush(CallInfo& ca
     for (uint32_t i = 0; i < callInfo.argc(); i++) {
         MDefinition* value = callInfo.getArg(i);
         if (toDouble) {
             MInstruction* valueDouble = MToDouble::New(alloc(), value);
             current->add(valueDouble);
             value = valueDouble;
         }
 
-        if (needsPostBarrier(value))
-            current->add(MPostWriteBarrier::New(alloc(), obj, value));
+        if (needsPostBarrier(value)) {
+            MInstruction* elements = MElements::New(alloc(), obj);
+            current->add(elements);
+            MInstruction* initLength = MInitializedLength::New(alloc(), elements);
+            current->add(initLength);
+            current->add(MPostWriteElementBarrier::New(alloc(), obj, value, initLength));
+        }
 
         ins = MArrayPush::New(alloc(), obj, value);
         current->add(ins);
 
         if (callInfo.argc() > 1) {
             // Restore that call stack and the array length.
             MOZ_TRY(resumeAt(ins, pc));
             ins->resumePoint()->addStore(alloc(), truncate, lastRp);
--- a/js/src/jit/VMFunctions.cpp
+++ b/js/src/jit/VMFunctions.cpp
@@ -686,19 +686,17 @@ PostWriteElementBarrier(JSRuntime* rt, J
 {
     AutoUnsafeCallWithABI unsafe;
 
     MOZ_ASSERT(!IsInsideNursery(obj));
 
     if (InBounds == IndexInBounds::Yes) {
         MOZ_ASSERT(uint32_t(index) < obj->as<NativeObject>().getDenseInitializedLength());
     } else {
-        if (MOZ_UNLIKELY(!obj->is<NativeObject>()) ||
-            uint32_t(index) >= obj->as<NativeObject>().getDenseInitializedLength())
-        {
+        if (MOZ_UNLIKELY(!obj->is<NativeObject>() || index < 0)) {
             rt->gc.storeBuffer().putWholeCell(obj);
             return;
         }
     }
 
     NativeObject* nobj = &obj->as<NativeObject>();
     if (nobj->isInWholeCellBuffer())
         return;