diff --git a/js/src/jit-test/tests/TypedObject/bug1369774.js b/js/src/jit-test/tests/TypedObject/bug1369774.js new file mode 100644 index 000000000000..3fd2b2ec2db1 --- /dev/null +++ b/js/src/jit-test/tests/TypedObject/bug1369774.js @@ -0,0 +1,7 @@ +if (!this.hasOwnProperty("TypedObject")) + quit(); +var T = TypedObject; +var S = new T.StructType({f: T.Object}); +var o = new S(); +for (var i = 0; i < 15; i++) + o.f = null; diff --git a/js/src/jit/SharedIC.cpp b/js/src/jit/SharedIC.cpp index e82639a5c146..ff4fcf50e183 100644 --- a/js/src/jit/SharedIC.cpp +++ b/js/src/jit/SharedIC.cpp @@ -2555,22 +2555,33 @@ ICUpdatedStub::addUpdateStubForValue(JSContext* cx, HandleScript outerScript, Ha if (val.isUndefined() && CanHaveEmptyPropertyTypesForOwnProperty(obj)) AddTypePropertyId(cx, obj, id, val); - HeapTypeSet* types = nullptr; - if (!obj->group()->unknownProperties()) { - types = obj->group()->maybeGetProperty(id); - MOZ_ASSERT(types); + bool unknown = false, unknownObject = false; + if (obj->group()->unknownProperties()) { + unknown = unknownObject = true; + } else { + if (HeapTypeSet* types = obj->group()->maybeGetProperty(id)) { + unknown = types->unknown(); + unknownObject = types->unknownObject(); + } else { + // We don't record null/undefined types for certain TypedObject + // properties. In these cases |types| is allowed to be nullptr + // without implying unknown types. See DoTypeUpdateFallback. + MOZ_ASSERT(obj->is()); + MOZ_ASSERT(val.isNullOrUndefined()); + } } + MOZ_ASSERT_IF(unknown, unknownObject); // Don't attach too many SingleObject/ObjectGroup stubs unless we can // replace them with a single PrimitiveSet or AnyValue stub. if (numOptimizedStubs_ >= MAX_OPTIMIZED_STUBS && val.isObject() && - (types && !types->unknownObject())) + !unknownObject) { return true; } - if (!types || types->unknown()) { + if (unknown) { // Attach a stub that always succeeds. We should not have a // TypeUpdate_AnyValue stub yet. MOZ_ASSERT(!hasTypeUpdateStub(TypeUpdate_AnyValue)); @@ -2586,7 +2597,7 @@ ICUpdatedStub::addUpdateStubForValue(JSContext* cx, HandleScript outerScript, Ha JitSpew(JitSpew_BaselineIC, " Added TypeUpdate stub %p for any value", stub); addOptimizedUpdateStub(stub); - } else if (val.isPrimitive() || types->unknownObject()) { + } else if (val.isPrimitive() || unknownObject) { JSValueType type = val.isDouble() ? JSVAL_TYPE_DOUBLE : val.extractNonDoubleType(); // Check for existing TypeUpdate stub.