Bug 1657399 - Don't use MNewTypedArray if the length is zero. r=anba

Also add an assertion for this to MacroAssembler::initTypedArraySlots. This replaces some invalid code that used dataSlotOffset instead of dataOffset. Not adding the test because with the new assertion this failed jit-tests. Differential Revision: https://phabricator.services.mozilla.com/D86551
2020-08-11 08:33:11 +00:00 · 2020-08-11 08:33:11 +00:00 · be3490d556
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@ -1081,12 +1081,7 @@ void MacroAssembler::initTypedArraySlots(Register obj, Register temp,
    for (size_t i = 0; i < numZeroPointers; i++) {
      storePtr(ImmWord(0), Address(obj, dataOffset + i * sizeof(char*)));
    }
-#ifdef DEBUG
-    if (nbytes == 0) {
-      store8(Imm32(TypedArrayObject::ZeroLengthArrayData),
-             Address(obj, dataSlotOffset));
-    }
-#endif
+    MOZ_ASSERT(nbytes > 0, "Zero-length TypedArrays need ZeroLengthArrayData");
  } else {
    if (lengthKind == TypedArrayLength::Fixed) {
      move32(Imm32(length), lengthReg);
--- a/js/src/jit/WarpCacheIRTranspiler.cpp
+++ b/js/src/jit/WarpCacheIRTranspiler.cpp
@ -2273,7 +2273,7 @@ bool WarpCacheIRTranspiler::emitNewTypedArrayFromLengthResult(

  if (length->isConstant()) {
    int32_t len = length->toConstant()->toInt32();
-    if (len >= 0 &&
+    if (len > 0 &&
        uint32_t(len) == templateObj->as<TypedArrayObject>().length()) {
      auto* templateConst = constant(ObjectValue(*templateObj));
      auto* obj = MNewTypedArray::New(alloc(), /* constraints = */ nullptr,