From 622263e71bf957d7bc38dd3499cbcee2cd84d681 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Thu, 9 Nov 2017 09:51:39 -0800
Subject: [PATCH] #443: M1408412 M1306626 M1404636 M1406398

---
 js/src/builtin/Object.cpp    |  6 ++----
 js/src/jit/IonBuilder.cpp    | 26 --------------------------
 js/src/jit/IonCaches.cpp     |  3 +++
 js/src/jit/MIR.cpp           |  8 ++++++++
 js/src/jit/MIR.h             | 23 +++++++++++++++++++++++
 js/src/jit/RangeAnalysis.cpp |  6 +++---
 6 files changed, 39 insertions(+), 33 deletions(-)

diff --git a/js/src/builtin/Object.cpp b/js/src/builtin/Object.cpp
index 11a0832dc..0f7bdc3ca 100644
--- a/js/src/builtin/Object.cpp
+++ b/js/src/builtin/Object.cpp
@@ -710,9 +710,6 @@ EnumerableOwnProperties(JSContext* cx, const JS::CallArgs& args, EnumerableOwnPr
     RootedId id(cx);
     RootedValue key(cx);
     RootedValue value(cx);
-    RootedNativeObject nobj(cx);
-    if (obj->is<NativeObject>())
-        nobj = &obj->as<NativeObject>();
     RootedShape shape(cx);
     Rooted<PropertyDescriptor> desc(cx);
 
@@ -730,7 +727,8 @@ EnumerableOwnProperties(JSContext* cx, const JS::CallArgs& args, EnumerableOwnPr
         }
 
         // Step 4.a.i.
-        if (nobj) {
+        if (obj->is<NativeObject>()) {
+            HandleNativeObject nobj = obj.as<NativeObject>();
             if (JSID_IS_INT(id) && nobj->containsDenseElement(JSID_TO_INT(id))) {
                 value = nobj->getDenseOrTypedArrayElement(JSID_TO_INT(id));
             } else {
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index 67e53b588..2ef59b496 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -8616,9 +8616,6 @@ IonBuilder::getElemTryTypedObject(bool* emitted, MDefinition* obj, MDefinition*
     MOZ_CRASH("Bad kind");
 }
 
-static MIRType
-MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble);
-
 bool
 IonBuilder::checkTypedObjectIndexInBounds(int32_t elemSize,
                                           MDefinition* obj,
@@ -9510,29 +9507,6 @@ IonBuilder::convertShiftToMaskForStaticTypedArray(MDefinition* id,
     return ptr;
 }
 
-static MIRType
-MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble)
-{
-    switch (arrayType) {
-      case Scalar::Int8:
-      case Scalar::Uint8:
-      case Scalar::Uint8Clamped:
-      case Scalar::Int16:
-      case Scalar::Uint16:
-      case Scalar::Int32:
-        return MIRType_Int32;
-      case Scalar::Uint32:
-        return observedDouble ? MIRType_Double : MIRType_Int32;
-      case Scalar::Float32:
-        return MIRType_Float32;
-      case Scalar::Float64:
-        return MIRType_Double;
-      default:
-        break;
-    }
-    MOZ_CRASH("Unknown typed array type");
-}
-
 bool
 IonBuilder::jsop_getelem_typed(MDefinition* obj, MDefinition* index,
                                Scalar::Type arrayType)
diff --git a/js/src/jit/IonCaches.cpp b/js/src/jit/IonCaches.cpp
index 3db31dc49..869652138 100644
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@@ -3810,6 +3810,9 @@ GetPropertyIC::tryAttachDenseElement(JSContext* cx, HandleScript outerScript, Io
     if (!obj->isNative() || !idval.isInt32())
         return true;
 
+    if (uint32_t(idval.toInt32()) >= obj->as<NativeObject>().getDenseInitializedLength())
+        return true;
+
     *emitted = true;
 
     MacroAssembler masm(cx, ion, outerScript, profilerLeavePc_);
diff --git a/js/src/jit/MIR.cpp b/js/src/jit/MIR.cpp
index f50f31a2d..0c0d2d91a 100644
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -5055,6 +5055,14 @@ PropertyReadNeedsTypeBarrier(CompilerConstraintList* constraints,
         return BarrierKind::TypeSet;
     }
 
+    if (!name && IsTypedArrayClass(key->clasp())) {
+        Scalar::Type arrayType = Scalar::Type(key->clasp() - &TypedArrayObject::classes[0]);
+        MIRType type = MIRTypeForTypedArrayRead(arrayType, true);
+        if (observed->mightBeMIRType(type))
+            return BarrierKind::NoBarrier;
+        return BarrierKind::TypeSet;
+    }
+
     jsid id = name ? NameToId(name) : JSID_VOID;
     HeapTypeSetKey property = key->property(id);
     if (property.maybeTypes()) {
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index 0ce4f0a65..b93b79413 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -14123,6 +14123,29 @@ bool PropertyWriteNeedsTypeBarrier(TempAllocator& alloc, CompilerConstraintList*
 bool ArrayPrototypeHasIndexedProperty(IonBuilder* builder, JSScript* script);
 bool TypeCanHaveExtraIndexedProperties(IonBuilder* builder, TemporaryTypeSet* types);
 
+inline MIRType
+MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble)
+{
+    switch (arrayType) {
+      case Scalar::Int8:
+      case Scalar::Uint8:
+      case Scalar::Uint8Clamped:
+      case Scalar::Int16:
+      case Scalar::Uint16:
+      case Scalar::Int32:
+        return MIRType_Int32;
+      case Scalar::Uint32:
+        return observedDouble ? MIRType_Double : MIRType_Int32;
+      case Scalar::Float32:
+        return MIRType_Float32;
+      case Scalar::Float64:
+        return MIRType_Double;
+      default:
+        break;
+    }
+    MOZ_CRASH("Unknown typed array type");
+}
+
 } // namespace jit
 } // namespace js
 
diff --git a/js/src/jit/RangeAnalysis.cpp b/js/src/jit/RangeAnalysis.cpp
index 64d6ad179..68785f0f2 100644
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -1756,9 +1756,9 @@ MArgumentsLength::computeRange(TempAllocator& alloc)
 {
     // This is is a conservative upper bound on what |TooManyActualArguments|
     // checks.  If exceeded, Ion will not be entered in the first place.
-    MOZ_ASSERT(JitOptions.maxStackArgs <= UINT32_MAX,
-               "NewUInt32Range requires a uint32 value");
-    setRange(Range::NewUInt32Range(alloc, 0, JitOptions.maxStackArgs));
+    static_assert(ARGS_LENGTH_MAX <= UINT32_MAX,
+                  "NewUInt32Range requires a uint32 value");
+    setRange(Range::NewUInt32Range(alloc, 0, ARGS_LENGTH_MAX));
 }
 
 void