Bug 1369774 - Fix ICUpdatedStub::addUpdateStubForValue to handle TypedObjects correctly. r=tcampbell

2017-06-27 09:59:54 -07:00 · 2017-06-27 09:59:54 -07:00 · 729cc74d0d
--- a/js/src/jit-test/tests/TypedObject/bug1369774.js
+++ b/js/src/jit-test/tests/TypedObject/bug1369774.js
@ -0,0 +1,7 @@
+if (!this.hasOwnProperty("TypedObject"))
+    quit();
+var T = TypedObject;
+var S = new T.StructType({f: T.Object});
+var o = new S();
+for (var i = 0; i < 15; i++)
+    o.f = null;
--- a/js/src/jit/SharedIC.cpp
+++ b/js/src/jit/SharedIC.cpp
@ -2555,22 +2555,33 @@ ICUpdatedStub::addUpdateStubForValue(JSContext* cx, HandleScript outerScript, Ha
    if (val.isUndefined() && CanHaveEmptyPropertyTypesForOwnProperty(obj))
        AddTypePropertyId(cx, obj, id, val);

-    HeapTypeSet* types = nullptr;
-    if (!obj->group()->unknownProperties()) {
-        types = obj->group()->maybeGetProperty(id);
-        MOZ_ASSERT(types);
+    bool unknown = false, unknownObject = false;
+    if (obj->group()->unknownProperties()) {
+        unknown = unknownObject = true;
+    } else {
+        if (HeapTypeSet* types = obj->group()->maybeGetProperty(id)) {
+            unknown = types->unknown();
+            unknownObject = types->unknownObject();
+        } else {
+            // We don't record null/undefined types for certain TypedObject
+            // properties. In these cases |types| is allowed to be nullptr
+            // without implying unknown types. See DoTypeUpdateFallback.
+            MOZ_ASSERT(obj->is<TypedObject>());
+            MOZ_ASSERT(val.isNullOrUndefined());
+        }
    }
+    MOZ_ASSERT_IF(unknown, unknownObject);

    // Don't attach too many SingleObject/ObjectGroup stubs unless we can
    // replace them with a single PrimitiveSet or AnyValue stub.
    if (numOptimizedStubs_ >= MAX_OPTIMIZED_STUBS &&
        val.isObject() &&
-        (types && !types->unknownObject()))
+        !unknownObject)
    {
        return true;
    }

-    if (!types || types->unknown()) {
+    if (unknown) {
        // Attach a stub that always succeeds. We should not have a
        // TypeUpdate_AnyValue stub yet.
        MOZ_ASSERT(!hasTypeUpdateStub(TypeUpdate_AnyValue));
@ -2586,7 +2597,7 @@ ICUpdatedStub::addUpdateStubForValue(JSContext* cx, HandleScript outerScript, Ha
        JitSpew(JitSpew_BaselineIC, "  Added TypeUpdate stub %p for any value", stub);
        addOptimizedUpdateStub(stub);

-    } else if (val.isPrimitive() || types->unknownObject()) {
+    } else if (val.isPrimitive() || unknownObject) {
        JSValueType type = val.isDouble() ? JSVAL_TYPE_DOUBLE : val.extractNonDoubleType();

        // Check for existing TypeUpdate stub.