Bug 1207572 - Make sure idempotent caches are invalidated when getting the non-int32 length of an array, r=jandem.

2024-10-19 08:15:31 +00:00 · 2015-10-05 10:00:47 -06:00 · 2015-10-05 10:00:47 -06:00 · c7546357ff
commit c7546357ff
parent 4e41796a57
1 changed files with 7 additions and 0 deletions
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@ -1259,6 +1259,13 @@ IsCacheableArrayLength(JSContext* cx, HandleObject obj, HandlePropertyName name,
        return false;
    }

+    // The emitted stub can only handle int32 lengths. If the length of the
+    // actual object does not fit in an int32 then don't attach a stub, as if
+    // the cache is idempotent we won't end up invalidating the compiled script
+    // otherwise.
+    if (obj->as<ArrayObject>().length() > INT32_MAX)
+        return false;
+
    return true;
 }