Bug 1146410: IonMonkey: When filtering IsObject use the correct type, r=jandem
authorHannes Verschore <hv1989@gmail.com>
Thu, 26 Mar 2015 12:14:01 +0100
changeset 266130 c58c75afbd913fc509a9486121764a4f71c94511
parent 266129 106f8198c67e5ae377a082924bfbc76aeed382ca
child 266131 4c099b1b4e58dec6394e98275689136d07eca00e
push id830
push userraliiev@mozilla.com
push dateFri, 19 Jun 2015 19:24:37 +0000
treeherdermozilla-release@932614382a68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1146410
milestone39.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1146410: IonMonkey: When filtering IsObject use the correct type, r=jandem
js/src/jit-test/tests/ion/bug1146410.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1146410.js
@@ -0,0 +1,9 @@
+// |jit-test| error: TypeError
+function foo() {
+  var ws = new WeakSet();
+  ws.add({});
+  for (var i = 0; i < 10; i++)
+    ws.add(WeakSet + "");
+}
+foo();
+delete Math
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -3654,40 +3654,41 @@ IonBuilder::improveTypesAtTest(MDefiniti
     // default behavior must return.  The default behavior assumes that a true
     // test means the incoming ins is not null or undefined and that a false
     // tests means it's one of null, undefined, false, 0, "", and objects
     // emulating undefined
     switch (ins->op()) {
       case MDefinition::Op_Not:
         return improveTypesAtTest(ins->toNot()->getOperand(0), !trueBranch, test);
       case MDefinition::Op_IsObject: {
-        TemporaryTypeSet *oldType = ins->getOperand(0)->resultTypeSet();
+        MDefinition *subject = ins->getOperand(0);
+        TemporaryTypeSet *oldType = subject->resultTypeSet();
 
         // Create temporary typeset equal to the type if there is no resultTypeSet.
         TemporaryTypeSet tmp;
         if (!oldType) {
-            if (ins->type() == MIRType_Value)
+            if (subject->type() == MIRType_Value)
                 return true;
             oldType = &tmp;
-            tmp.addType(TypeSet::PrimitiveType(ValueTypeFromMIRType(ins->type())), alloc_->lifoAlloc());
+            tmp.addType(TypeSet::PrimitiveType(ValueTypeFromMIRType(subject->type())), alloc_->lifoAlloc());
         }
 
         if (oldType->unknown())
             return true;
 
         TemporaryTypeSet *type = nullptr;
         if (trueBranch)
             type = oldType->cloneObjectsOnly(alloc_->lifoAlloc());
         else
             type = oldType->cloneWithoutObjects(alloc_->lifoAlloc());
 
         if (!type)
             return false;
 
-        return replaceTypeSet(ins->getOperand(0), type, test);
+        return replaceTypeSet(subject, type, test);
       }
       case MDefinition::Op_Phi: {
         bool branchIsAnd = true;
         if (!detectAndOrStructure(ins->toPhi(), &branchIsAnd)) {
             // Just fall through to the default behavior.
             break;
         }