Bug 1115043: Off-by-one fix in check; r=luke

--HG--
extra : rebase_source : 8df0329a0d71d3dbb0c43f6d0bb7df20a70ba8ac
extra : amend_source : d9a389d9972ae2b4ea88a01e9ebf87d8398d13b7
This commit is contained in:
Benjamin Bouvier 2015-01-05 15:30:16 +01:00
parent 7ef3855197
commit 2a83e5fc34

View File

@ -2211,7 +2211,7 @@ RangeAnalysis::analyze()
Range *range = ins->ptr()->range();
uint32_t elemSize = TypedArrayElemSize(ins->viewType());
if (range && range->hasInt32LowerBound() && range->lower() >= 0 &&
range->hasInt32UpperBound() && uint32_t(range->upper()) + elemSize < minHeapLength) {
range->hasInt32UpperBound() && uint32_t(range->upper()) + elemSize <= minHeapLength) {
ins->removeBoundsCheck();
}
} else if (iter->isAsmJSStoreHeap()) {
@ -2219,7 +2219,7 @@ RangeAnalysis::analyze()
Range *range = ins->ptr()->range();
uint32_t elemSize = TypedArrayElemSize(ins->viewType());
if (range && range->hasInt32LowerBound() && range->lower() >= 0 &&
range->hasInt32UpperBound() && uint32_t(range->upper()) + elemSize < minHeapLength) {
range->hasInt32UpperBound() && uint32_t(range->upper()) + elemSize <= minHeapLength) {
ins->removeBoundsCheck();
}
}