From 3c878b1e3bbb043b22ab032bce1fe111b8062ca9 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Mon, 17 Jun 2019 18:37:23 +0000
Subject: Convert CopyBoxedOrUnboxedDenseElements to something that doesn't
 crash.

---
 js/src/jit/BaselineIC.cpp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'js/src/jit/BaselineIC.cpp')

diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 2b0822655..17fdb1807 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5769,8 +5769,18 @@ CopyArray(JSContext* cx, HandleArrayObject arr, MutableHandleValue result)
     if (!nobj)
         return false;
     EnsureArrayGroupAnalyzed(cx, nobj); //XXX
-    CopyBoxedOrUnboxedDenseElements(cx, nobj, arr, 0, 0, length);
-
+	
+    MOZ_ASSERT(arr->isNative());
+    MOZ_ASSERT(nobj->isNative());
+    MOZ_ASSERT(nobj->as<NativeObject>().getDenseInitializedLength() == 0);
+    MOZ_ASSERT(arr->as<NativeObject>().getDenseInitializedLength() >= length);
+    MOZ_ASSERT(nobj->as<NativeObject>().getDenseCapacity() >= length);
+
+    nobj->as<NativeObject>().setDenseInitializedLength(length);
+
+    const Value* vp = arr->as<NativeObject>().getDenseElements();
+    nobj->as<NativeObject>().initDenseElements(0, vp, length);
+	
     result.setObject(*nobj);
     return true;
 }
-- 
cgit v1.2.3


From e9aac71c6d7fa67c7581e2bd75accae5a9699165 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Sun, 16 Jun 2019 19:55:05 +0000
Subject: Remove and clean up more code.

---
 js/src/jit/BaselineIC.cpp | 23 +++--------------------
 1 file changed, 3 insertions(+), 20 deletions(-)

(limited to 'js/src/jit/BaselineIC.cpp')

diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 17fdb1807..9151d9634 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5365,13 +5365,6 @@ GetTemplateObjectForSimd(JSContext* cx, JSFunction* target, MutableHandleObject
     return true;
 }
 
-static void
-EnsureArrayGroupAnalyzed(JSContext* cx, JSObject* obj)
-{
-    if (PreliminaryObjectArrayWithTemplate* objects = obj->group()->maybePreliminaryObjects())
-        objects->maybeAnalyze(cx, obj->group(), /* forceAnalyze = */ true);
-}
-
 static bool
 GetTemplateObjectForNative(JSContext* cx, HandleFunction target, const CallArgs& args,
                            MutableHandleObject res, bool* skipAttach)
@@ -5403,10 +5396,7 @@ GetTemplateObjectForNative(JSContext* cx, HandleFunction target, const CallArgs&
             // With this and other array templates, analyze the group so that
             // we don't end up with a template whose structure might change later.
             res.set(NewFullyAllocatedArrayForCallingAllocationSite(cx, count, TenuredObject));
-            if (!res)
-                return false;
-            EnsureArrayGroupAnalyzed(cx, res);
-            return true;
+            return !!res;
         }
     }
 
@@ -5432,10 +5422,7 @@ GetTemplateObjectForNative(JSContext* cx, HandleFunction target, const CallArgs&
                 }
                 res.set(NewFullyAllocatedArrayTryReuseGroup(cx, &args.thisv().toObject(), 0,
                                                             TenuredObject));
-                if (!res)
-                    return false;
-                EnsureArrayGroupAnalyzed(cx, res);
-                return true;
+                return !!res;
             }
         }
     }
@@ -5452,10 +5439,7 @@ GetTemplateObjectForNative(JSContext* cx, HandleFunction target, const CallArgs&
         }
 
         res.set(NewFullyAllocatedArrayForCallingAllocationSite(cx, 0, TenuredObject));
-        if (!res)
-            return false;
-        EnsureArrayGroupAnalyzed(cx, res);
-        return true;
+        return !!res;
     }
 
     if (native == StringConstructor) {
@@ -5768,7 +5752,6 @@ CopyArray(JSContext* cx, HandleArrayObject arr, MutableHandleValue result)
     ArrayObject* nobj = NewFullyAllocatedArrayTryReuseGroup(cx, arr, length, TenuredObject);
     if (!nobj)
         return false;
-    EnsureArrayGroupAnalyzed(cx, nobj); //XXX
 	
     MOZ_ASSERT(arr->isNative());
     MOZ_ASSERT(nobj->isNative());
-- 
cgit v1.2.3


From fcc11b2fec61c37c90ffe40e8f406eba64654a9c Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Tue, 18 Jun 2019 12:59:22 +0000
Subject: Tabs -> Spaces (no code change)

---
 js/src/jit/BaselineIC.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'js/src/jit/BaselineIC.cpp')

diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 9151d9634..64cdf01a6 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5752,7 +5752,7 @@ CopyArray(JSContext* cx, HandleArrayObject arr, MutableHandleValue result)
     ArrayObject* nobj = NewFullyAllocatedArrayTryReuseGroup(cx, arr, length, TenuredObject);
     if (!nobj)
         return false;
-	
+    
     MOZ_ASSERT(arr->isNative());
     MOZ_ASSERT(nobj->isNative());
     MOZ_ASSERT(nobj->as<NativeObject>().getDenseInitializedLength() == 0);
@@ -5763,7 +5763,7 @@ CopyArray(JSContext* cx, HandleArrayObject arr, MutableHandleValue result)
 
     const Value* vp = arr->as<NativeObject>().getDenseElements();
     nobj->as<NativeObject>().initDenseElements(0, vp, length);
-	
+    
     result.setObject(*nobj);
     return true;
 }
-- 
cgit v1.2.3