Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-29 07:42:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1196590 - Don't assume that objects without shapes are unboxed plain objects, r=jandem.

Browse Source
This commit is contained in:
Brian Hackett 2015-08-24 10:30:51 -06:00
parent d45a22a11a
commit f1fc12d77b
3 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
js/src/jit-test/tests/ion/bug1196590.js Normal file
View File

@ -0,0 +1,11 @@
function bar(x, i) {
if (i == 50)
x.length = 0;
}
function foo(x, j, n) {
for (var i = 0; i < n; i++) {
bar(x, i);
}
}
var a = foo([1,2,3,4], 3, 100);

1
js/src/jit/BaselineIC.cpp
View File

@ -7953,6 +7953,7 @@ DoSetPropFallback(JSContext* cx, BaselineFrame* frame, ICSetProp_Fallback* stub_
RootedReceiverGuard oldGuard(cx, ReceiverGuard(obj));
if (obj->is<UnboxedPlainObject>()) {
MOZ_ASSERT(!oldShape);
if (UnboxedExpandoObject* expando = obj->as<UnboxedPlainObject>().maybeExpando())
oldShape = expando->lastProperty();
}

3
js/src/jit/IonCaches.cpp
View File

@ -3309,7 +3309,8 @@ SetPropertyIC::update(JSContext* cx, HandleScript outerScript, size_t cacheIndex
}
RootedShape oldShape(cx, obj->maybeShape());
if (!oldShape) {
if (obj->is<UnboxedPlainObject>()) {
MOZ_ASSERT(!oldShape);
if (UnboxedExpandoObject* expando = obj->as<UnboxedPlainObject>().maybeExpando())
oldShape = expando->lastProperty();
}