Bug 937793 - Tweaks to template-array creation. r=bhackett, a=abillings
authorJeff Walden <jwalden@mit.edu>
Wed, 18 Dec 2013 20:14:16 -0500
changeset 175437 d97ff8e10e2fdc5d40e426a620afe9bb87b1f6d9
parent 175436 facabfc24d512d46af89bdd36c17515dc1a40bc3
child 175438 8f7687732fd14463a711d64e8453a7379279cc04
push id445
push userffxbld
push dateMon, 10 Mar 2014 22:05:19 +0000
treeherdermozilla-release@dc38b741b04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett, abillings
bugs937793
milestone28.0a2
Bug 937793 - Tweaks to template-array creation. r=bhackett, a=abillings
js/src/jit/BaselineIC.cpp
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -7772,20 +7772,23 @@ TryAttachFunApplyStub(JSContext *cx, ICC
 static bool
 GetTemplateObjectForNative(JSContext *cx, HandleScript script, jsbytecode *pc,
                            Native native, const CallArgs &args, MutableHandleObject res)
 {
     // Check for natives to which template objects can be attached. This is
     // done to provide templates to Ion for inlining these natives later on.
 
     if (native == js_Array) {
+        // Note: the template array won't be used if its length is inaccurately
+        // computed here.  (We allocate here because compilation may occur on a
+        // separate thread where allocation is impossible.)
         size_t count = 0;
-        if (args.hasDefined(1))
+        if (args.length() != 1)
             count = args.length();
-        else if (args.hasDefined(0) && args[0].isInt32() && args[0].toInt32() > 0)
+        else if (args.length() == 1 && args[0].isInt32() && args[0].toInt32() >= 0)
             count = args[0].toInt32();
         res.set(NewDenseUnallocatedArray(cx, count, nullptr, TenuredObject));
         if (!res)
             return false;
 
         types::TypeObject *type = types::TypeScript::InitObject(cx, script, pc, JSProto_Array);
         if (!type)
             return false;