Bug 836774 - Prevent objects/strings from flowing to an MToDouble, r=jandem.

2025-02-27 04:38:02 +00:00 · 2013-02-01 06:44:17 -07:00 · 2013-02-01 06:44:17 -07:00 · f80aa819db
commit f80aa819db
parent df7f8dbc2e
5 changed files with 41 additions and 11 deletions
--- a/js/src/ion/Lowering.cpp
+++ b/js/src/ion/Lowering.cpp
@ -1234,7 +1234,7 @@ LIRGenerator::visitToDouble(MToDouble *convert)
      default:
        // Objects might be effectful.
        // Strings are complicated - we don't handle them yet.
-        JS_ASSERT(!"unexpected type");
+        JS_NOT_REACHED("unexpected type");
        return false;
    }
 }
@ -1281,7 +1281,7 @@ LIRGenerator::visitToInt32(MToInt32 *convert)
        return false;

      default:
-        JS_ASSERT(!"unexpected type");
+        JS_NOT_REACHED("unexpected type");
        return false;
    }
 }
@ -1314,7 +1314,7 @@ LIRGenerator::visitTruncateToInt32(MTruncateToInt32 *truncate)
      default:
        // Objects might be effectful.
        // Strings are complicated - we don't handle them yet.
-        JS_ASSERT(!"unexpected type");
+        JS_NOT_REACHED("unexpected type");
        return false;
    }
 }
@ -1329,7 +1329,7 @@ LIRGenerator::visitToString(MToString *ins)
      case MIRType_Null:
      case MIRType_Undefined:
      case MIRType_Boolean:
-        JS_ASSERT(!"NYI: Lower MToString");
+        JS_NOT_REACHED("NYI: Lower MToString");
        return false;

      case MIRType_Int32: {
@ -1342,7 +1342,7 @@ LIRGenerator::visitToString(MToString *ins)

      default:
        // Objects might be effectful. (see ToPrimitive)
-        JS_ASSERT(!"unexpected type");
+        JS_NOT_REACHED("unexpected type");
        return false;
    }
 }
@ -1425,7 +1425,7 @@ LIRGenerator::visitLoadSlot(MLoadSlot *ins)

      case MIRType_Undefined:
      case MIRType_Null:
-        JS_ASSERT(!"typed load must have a payload");
+        JS_NOT_REACHED("typed load must have a payload");
        return false;

      default:
@ -1577,7 +1577,7 @@ LIRGenerator::visitNot(MNot *ins)
      }

      default:
-        JS_ASSERT(!"Unexpected MIRType.");
+        JS_NOT_REACHED("Unexpected MIRType.");
        return false;
    }
 }
@ -1638,7 +1638,7 @@ LIRGenerator::visitLoadElement(MLoadElement *ins)
      }
      case MIRType_Undefined:
      case MIRType_Null:
-        JS_ASSERT(!"typed load must have a payload");
+        JS_NOT_REACHED("typed load must have a payload");
        return false;

      default:
@ -1739,7 +1739,7 @@ LIRGenerator::visitArrayPopShift(MArrayPopShift *ins)
      }
      case MIRType_Undefined:
      case MIRType_Null:
-        JS_ASSERT(!"typed load must have a payload");
+        JS_NOT_REACHED("typed load must have a payload");
        return false;

      default:
@ -1835,7 +1835,7 @@ LIRGenerator::visitClampToUint8(MClampToUint8 *ins)
      }

      default:
-        JS_ASSERT(!"unexpected type");
+        JS_NOT_REACHED("unexpected type");
        return false;
    }
 }
--- a/js/src/ion/MIR.h
+++ b/js/src/ion/MIR.h
@ -1922,7 +1922,8 @@ class MPassArg : public MUnaryInstruction
 // Converts a primitive (either typed or untyped) to a double. If the input is
 // not primitive at runtime, a bailout occurs.
 class MToDouble
-  : public MUnaryInstruction
+  : public MUnaryInstruction,
+    public ToDoublePolicy
 {
    MToDouble(MDefinition *def)
      : MUnaryInstruction(def)
@ -1938,6 +1939,10 @@ class MToDouble
        return new MToDouble(def);
    }

+    TypePolicy *typePolicy() {
+        return this;
+    }
+
    MDefinition *foldsTo(bool useValueNumbers);
    MDefinition *input() const {
        return getOperand(0);
--- a/js/src/ion/TypePolicy.cpp
+++ b/js/src/ion/TypePolicy.cpp
@ -351,6 +351,18 @@ template bool BoxPolicy<0>::staticAdjustInputs(MInstruction *ins);
 template bool BoxPolicy<1>::staticAdjustInputs(MInstruction *ins);
 template bool BoxPolicy<2>::staticAdjustInputs(MInstruction *ins);

+bool
+ToDoublePolicy::staticAdjustInputs(MInstruction *ins)
+{
+    MDefinition *in = ins->getOperand(0);
+    if (in->type() != MIRType_Object && in->type() != MIRType_String)
+        return true;
+
+    in = boxAt(ins, in);
+    ins->replaceOperand(0, in);
+    return true;
+}
+
 template <unsigned Op>
 bool
 ObjectPolicy<Op>::staticAdjustInputs(MInstruction *ins)
--- a/js/src/ion/TypePolicy.h
+++ b/js/src/ion/TypePolicy.h
@ -138,6 +138,16 @@ class DoublePolicy : public BoxInputsPolicy
    }
 };

+// Box objects or strings as an input to a ToDouble instruction.
+class ToDoublePolicy : public BoxInputsPolicy
+{
+  public:
+    static bool staticAdjustInputs(MInstruction *def);
+    bool adjustInputs(MInstruction *def) {
+        return staticAdjustInputs(def);
+    }
+};
+
 template <unsigned Op>
 class ObjectPolicy : public BoxInputsPolicy
 {
--- a/js/src/jit-test/tests/ion/bug836774.js
+++ b/js/src/jit-test/tests/ion/bug836774.js
@ -0,0 +1,3 @@
+
+x = ''.charCodeAt(NaN);
+evaluate("for each (var e in [{}, {}, {}, {}, x]) {}");