From e61532ff2ed5f97930525f5e1bba1cacdb9d141d Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Wed, 8 Jun 2016 15:18:59 +0200
Subject: [PATCH] Bug 1266768 - Give MBoundsCheck an explicit type policy.
 r=lth

---
 js/src/jit-test/tests/ion/bug1266768.js | 16 ++++++++++++++++
 js/src/jit/Lowering.cpp                 | 10 ++++++++--
 js/src/jit/MIR.h                        |  4 ++--
 js/src/jit/TypePolicy.cpp               |  1 +
 4 files changed, 27 insertions(+), 4 deletions(-)
 create mode 100644 js/src/jit-test/tests/ion/bug1266768.js

diff --git a/js/src/jit-test/tests/ion/bug1266768.js b/js/src/jit-test/tests/ion/bug1266768.js
new file mode 100644
index 000000000000..7d7937b5116c
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1266768.js
@@ -0,0 +1,16 @@
+if (!this.SharedArrayBuffer)
+    quit();
+
+function mod(stdlib) {
+    add = stdlib.Atomics.add;
+    function f3() {
+        add(i8a, 0 | 0 && this && BUGNUMBER, 0);
+    }
+    return {f3: f3, 0: 0};
+}
+i8a = new Int8Array(new SharedArrayBuffer(1));
+var {
+    f3
+} = mod(this, {})
+for (i = 0; i < 1000; i++)
+    f3();
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
index 4001fa1b1a4f..c7758901d994 100644
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@@ -2933,8 +2933,12 @@ LIRGenerator::visitNot(MNot* ins)
 void
 LIRGenerator::visitBoundsCheck(MBoundsCheck* ins)
 {
-     if (!ins->fallible())
-         return;
+    MOZ_ASSERT(ins->index()->type() == MIRType::Int32);
+    MOZ_ASSERT(ins->length()->type() == MIRType::Int32);
+    MOZ_ASSERT(ins->type() == MIRType::Int32);
+
+    if (!ins->fallible())
+        return;
 
     LInstruction* check;
     if (ins->minimum() || ins->maximum()) {
@@ -2952,6 +2956,8 @@ LIRGenerator::visitBoundsCheck(MBoundsCheck* ins)
 void
 LIRGenerator::visitBoundsCheckLower(MBoundsCheckLower* ins)
 {
+    MOZ_ASSERT(ins->index()->type() == MIRType::Int32);
+
     if (!ins->fallible())
         return;
 
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index e64b44133ee7..c4d619f6dc35 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -9379,7 +9379,7 @@ class MNot
 // (unsigned comparisons may be used).
 class MBoundsCheck
   : public MBinaryInstruction,
-    public NoTypePolicy::Data
+    public MixPolicy<IntPolicy<0>, IntPolicy<1>>::Data
 {
     // Range over which to perform the bounds check, may be modified by GVN.
     int32_t minimum_;
@@ -9450,7 +9450,7 @@ class MBoundsCheck
 // Bailout if index < minimum.
 class MBoundsCheckLower
   : public MUnaryInstruction,
-    public NoTypePolicy::Data
+    public IntPolicy<0>::Data
 {
     int32_t minimum_;
     bool fallible_;
diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp
index 53019ea55900..5cc57f81070a 100644
--- a/js/src/jit/TypePolicy.cpp
+++ b/js/src/jit/TypePolicy.cpp
@@ -1236,6 +1236,7 @@ FilterTypeSetPolicy::adjustInputs(TempAllocator& alloc, MInstruction* ins)
     _(MixPolicy<ConvertToStringPolicy<0>, ConvertToStringPolicy<1> >)   \
     _(MixPolicy<ConvertToStringPolicy<0>, ObjectPolicy<1> >)            \
     _(MixPolicy<DoublePolicy<0>, DoublePolicy<1> >)                     \
+    _(MixPolicy<IntPolicy<0>, IntPolicy<1> >)                           \
     _(MixPolicy<ObjectPolicy<0>, BoxPolicy<1> >)                        \
     _(MixPolicy<ObjectPolicy<0>, CacheIdPolicy<1>>)                     \
     _(MixPolicy<ObjectPolicy<0>, ConvertToStringPolicy<1> >)            \