Bug 1543166 - Add missing null check in IonBuilder::computeHeapType. r=tcampbell a=pascalc
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 10 Apr 2019 12:47:55 +0000
changeset 526119 be119fec61f8d4c6692e30dbc5a633749557eb16
parent 526118 54576c33652de024a955671675369ed85cefabe4
child 526120 281162c3457183da6eccfb440ad0b4eade84910b
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell, pascalc
bugs1543166
milestone67.0
Bug 1543166 - Add missing null check in IonBuilder::computeHeapType. r=tcampbell a=pascalc getObject can return nullptr when the TypeSet uses a TypeHashSet for the objects. Differential Revision: https://phabricator.services.mozilla.com/D26874
js/src/jit-test/tests/ion/bug1543166.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1543166.js
@@ -0,0 +1,17 @@
+function f() {
+    var arr = [];
+    for (var i = 0; i < 12; i++) {
+        // Create a new global to get "DOM" objects with different groups.
+        var g = newGlobal();
+        var o = new g.FakeDOMObject();
+        o[0] = 1;
+        arr.push(o);
+    }
+    var res;
+    for (var i = 0; i < 2000; i++) {
+        var o = arr[i % arr.length];
+        res = o[0];
+    }
+    return res;
+}
+f();
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -9245,16 +9245,19 @@ TemporaryTypeSet* IonBuilder::computeHea
 
   Vector<HeapTypeSetKey, 4, SystemAllocPolicy> properties;
   if (!properties.reserve(objTypes->getObjectCount())) {
     return nullptr;
   }
 
   for (unsigned i = 0; i < objTypes->getObjectCount(); i++) {
     TypeSet::ObjectKey* key = objTypes->getObject(i);
+    if (!key) {
+      continue;
+    }
 
     if (key->unknownProperties()) {
       return nullptr;
     }
 
     HeapTypeSetKey property = key->property(id);
     HeapTypeSet* currentSet = property.maybeTypes();