Bug 1204722 - Make sure that unboxed arrays created from literals are compatible with the type of the literal's elements, r=jandem.

2024-10-24 18:55:30 +00:00 · 2015-09-22 09:07:35 -06:00 · 2015-09-22 09:07:35 -06:00 · e49a6e8fcc
commit e49a6e8fcc
parent 56db76a2f3
2 changed files with 41 additions and 2 deletions
--- a/js/src/jit-test/tests/basic/bug1204722.js
+++ b/js/src/jit-test/tests/basic/bug1204722.js
@ -0,0 +1,7 @@
+
+x = [1e81];
+x.map(function() {});
+x.pop();
+x.push([]);
+[].map(function() {});
+eval("[1/0]");
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@ -867,8 +867,40 @@ ObjectGroup::newArrayObject(ExclusiveContext* cx,
            return nullptr;
    }

-    return NewCopiedArrayTryUseGroup(cx, group, vp, length, newKind,
-                                     ShouldUpdateTypes::DontUpdate);
+    // The type of the elements being added will already be reflected in type
+    // information, but make sure when creating an unboxed array that the
+    // common element type is suitable for the unboxed representation.
+    ShouldUpdateTypes updateTypes = ShouldUpdateTypes::DontUpdate;
+    if (group->maybePreliminaryObjects())
+        group->maybePreliminaryObjects()->maybeAnalyze(cx, group);
+    if (group->maybeUnboxedLayout()) {
+        switch (group->unboxedLayout().elementType()) {
+          case JSVAL_TYPE_BOOLEAN:
+            if (elementType != TypeSet::BooleanType())
+                updateTypes = ShouldUpdateTypes::Update;
+            break;
+          case JSVAL_TYPE_INT32:
+            if (elementType != TypeSet::Int32Type())
+                updateTypes = ShouldUpdateTypes::Update;
+            break;
+          case JSVAL_TYPE_DOUBLE:
+            if (elementType != TypeSet::Int32Type() && elementType != TypeSet::DoubleType())
+                updateTypes = ShouldUpdateTypes::Update;
+            break;
+          case JSVAL_TYPE_STRING:
+            if (elementType != TypeSet::StringType())
+                updateTypes = ShouldUpdateTypes::Update;
+            break;
+          case JSVAL_TYPE_OBJECT:
+            if (elementType != TypeSet::NullType() && !elementType.get().isObjectUnchecked())
+                updateTypes = ShouldUpdateTypes::Update;
+            break;
+          default:
+            MOZ_CRASH();
+        }
+    }
+
+    return NewCopiedArrayTryUseGroup(cx, group, vp, length, newKind, updateTypes);
 }

 // Try to change the group of |source| to match that of |target|.