From 9f4e4d2fefa7cb85a36104ab82f2c0a412db1209 Mon Sep 17 00:00:00 2001
From: Dan Gohman <sunfish@google.com>
Date: Fri, 13 Dec 2013 08:27:47 -0800
Subject: [PATCH] Bug 949171 - SpiderMonkey: Tighten up various assertions.
 r=nbp

---
 js/src/jit/BacktrackingAllocator.cpp |  1 +
 js/src/jit/BitSet.h                  | 12 ++++++------
 js/src/jit/CodeGenerator.cpp         | 12 ++++++++++--
 js/src/jit/LIR.cpp                   |  5 +++--
 js/src/jit/Lowering.cpp              |  1 +
 js/src/jit/MIR.h                     |  1 +
 js/src/jit/MIRGraph.cpp              |  2 ++
 js/src/jit/RangeAnalysis.cpp         |  2 +-
 8 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp
index bd601cc0a884..803079fc2879 100644
--- a/js/src/jit/BacktrackingAllocator.cpp
+++ b/js/src/jit/BacktrackingAllocator.cpp
@@ -835,6 +835,7 @@ BacktrackingAllocator::spill(LiveInterval *interval)
     IonSpew(IonSpew_RegAlloc, "Spilling interval");
 
     JS_ASSERT(interval->requirement()->kind() == Requirement::NONE);
+    JS_ASSERT(!interval->getAllocation()->isStackSlot());
 
     // We can't spill bogus intervals.
     JS_ASSERT(interval->hasVreg());
diff --git a/js/src/jit/BitSet.h b/js/src/jit/BitSet.h
index 730557be1efb..4135c346ad38 100644
--- a/js/src/jit/BitSet.h
+++ b/js/src/jit/BitSet.h
@@ -58,7 +58,7 @@ class BitSet : private TempObject
     // O(1): Check if this set contains the given value.
     bool contains(unsigned int value) const {
         JS_ASSERT(bits_);
-        JS_ASSERT(value <= max_);
+        JS_ASSERT(value < max_);
 
         return !!(bits_[wordForValue(value)] & bitForValue(value));
     }
@@ -69,7 +69,7 @@ class BitSet : private TempObject
     // O(1): Insert the given value into this set.
     void insert(unsigned int value) {
         JS_ASSERT(bits_);
-        JS_ASSERT(value <= max_);
+        JS_ASSERT(value < max_);
 
         bits_[wordForValue(value)] |= bitForValue(value);
     }
@@ -80,7 +80,7 @@ class BitSet : private TempObject
     // O(1): Remove the given value from this set.
     void remove(unsigned int value) {
         JS_ASSERT(bits_);
-        JS_ASSERT(value <= max_);
+        JS_ASSERT(value < max_);
 
         bits_[wordForValue(value)] &= ~bitForValue(value);
     }
@@ -137,7 +137,7 @@ class BitSet::Iterator
 
     inline Iterator& operator++(int dummy) {
         JS_ASSERT(more());
-        JS_ASSERT(index_ <= set_.max_);
+        JS_ASSERT(index_ < set_.max_);
 
         index_++;
         value_ >>= 1;
@@ -158,12 +158,12 @@ class BitSet::Iterator
         index_ += numZeros;
         value_ >>= numZeros;
 
-        JS_ASSERT_IF(index_ <= set_.max_, set_.contains(index_));
+        JS_ASSERT_IF(index_ < set_.max_, set_.contains(index_));
         return *this;
     }
 
     unsigned int operator *() {
-        JS_ASSERT(index_ <= set_.max_);
+        JS_ASSERT(index_ < set_.max_);
         return index_;
     }
 };
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
index 9f27af7b3c79..f0c05f4ed83b 100644
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -1139,6 +1139,7 @@ CodeGenerator::visitStackArgT(LStackArgT *lir)
     const LAllocation *arg = lir->getArgument();
     MIRType argType = lir->mir()->getArgument()->type();
     uint32_t argslot = lir->argslot();
+    JS_ASSERT(argslot - 1u < graph.argumentSlotCount());
 
     int32_t stack_offset = StackOffsetOfPassedArg(argslot);
     Address dest(StackPointer, stack_offset);
@@ -1150,7 +1151,9 @@ CodeGenerator::visitStackArgT(LStackArgT *lir)
     else
         masm.storeValue(*(arg->toConstant()), dest);
 
-    return pushedArgumentSlots_.append(StackOffsetToSlot(stack_offset));
+    uint32_t slot = StackOffsetToSlot(stack_offset);
+    JS_ASSERT(slot - 1u < graph.totalSlotCount());
+    return pushedArgumentSlots_.append(slot);
 }
 
 bool
@@ -1158,10 +1161,15 @@ CodeGenerator::visitStackArgV(LStackArgV *lir)
 {
     ValueOperand val = ToValue(lir, 0);
     uint32_t argslot = lir->argslot();
+    JS_ASSERT(argslot - 1u < graph.argumentSlotCount());
+
     int32_t stack_offset = StackOffsetOfPassedArg(argslot);
 
     masm.storeValue(val, Address(StackPointer, stack_offset));
-    return pushedArgumentSlots_.append(StackOffsetToSlot(stack_offset));
+
+    uint32_t slot = StackOffsetToSlot(stack_offset);
+    JS_ASSERT(slot - 1u < graph.totalSlotCount());
+    return pushedArgumentSlots_.append(slot);
 }
 
 bool
diff --git a/js/src/jit/LIR.cpp b/js/src/jit/LIR.cpp
index 114a6724841e..7fef35f37b2f 100644
--- a/js/src/jit/LIR.cpp
+++ b/js/src/jit/LIR.cpp
@@ -73,8 +73,9 @@ LBlock::lastId()
 {
     LInstruction *last = *instructions_.rbegin();
     JS_ASSERT(last->id());
-    if (last->numDefs())
-        return last->getDef(last->numDefs() - 1)->virtualRegister();
+    // The last instruction is a control flow instruction which does not have
+    // any output.
+    JS_ASSERT(last->numDefs() == 0);
     return last->id();
 }
 
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
index 875ae3b7ff1e..5f0b099ba712 100644
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@@ -305,6 +305,7 @@ LIRGenerator::visitPassArg(MPassArg *arg)
 {
     MDefinition *opd = arg->getArgument();
     uint32_t argslot = getArgumentSlot(arg->getArgnum());
+    JS_ASSERT(arg->getArgnum() < prepareCallStack_.back()->argc());
 
     // Pass through the virtual register of the operand.
     // This causes snapshots to correctly copy the operand on the stack.
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index 97207eed77b7..3eff668f0e5a 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -2829,6 +2829,7 @@ class MPassArg
     // Set by the MCall.
     void setArgnum(uint32_t argnum) {
         argnum_ = argnum;
+        JS_ASSERT(argnum_ >= 0);
     }
     uint32_t getArgnum() const {
         JS_ASSERT(argnum_ >= 0);
diff --git a/js/src/jit/MIRGraph.cpp b/js/src/jit/MIRGraph.cpp
index ac4034f6a536..96fb758b3016 100644
--- a/js/src/jit/MIRGraph.cpp
+++ b/js/src/jit/MIRGraph.cpp
@@ -763,6 +763,7 @@ MBasicBlock::discardAllResumePoints(bool discardEntry)
 void
 MBasicBlock::insertBefore(MInstruction *at, MInstruction *ins)
 {
+    JS_ASSERT(at->block() == this);
     ins->setBlock(this);
     graph().allocDefinitionId(ins);
     instructions_.insertBefore(at, ins);
@@ -772,6 +773,7 @@ MBasicBlock::insertBefore(MInstruction *at, MInstruction *ins)
 void
 MBasicBlock::insertAfter(MInstruction *at, MInstruction *ins)
 {
+    JS_ASSERT(at->block() == this);
     ins->setBlock(this);
     graph().allocDefinitionId(ins);
     instructions_.insertAfter(at, ins);
diff --git a/js/src/jit/RangeAnalysis.cpp b/js/src/jit/RangeAnalysis.cpp
index a60f4ca555a1..bef8925e1d0a 100644
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -994,7 +994,7 @@ MPhi::computeRange(TempAllocator &alloc)
         return;
 
     Range *range = nullptr;
-    JS_ASSERT(getOperand(0)->op() != MDefinition::Op_OsrValue);
+    JS_ASSERT(!isOSRLikeValue(getOperand(0)));
     for (size_t i = 0, e = numOperands(); i < e; i++) {
         if (getOperand(i)->block()->unreachable()) {
             IonSpew(IonSpew_Range, "Ignoring unreachable input %d", getOperand(i)->id());