From 97bd3ada2a0ac6eff0e03e6eec8d2012af3bb57d Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Mon, 28 Sep 2015 13:30:42 +0200
Subject: [PATCH] Bug 1205707 part 1 - Clean up some is-TypedArrayObject code
 in Ion. r=Waldo, a=sylvestre

---
 js/src/jit/MCallOptimize.cpp | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
index 7fdede8..2c6a533 100644
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -2122,6 +2122,19 @@ IonBuilder::inlineIsTypedArray(CallInfo& callInfo)
     return InliningStatus_Inlined;
 }
 
+static bool
+IsTypedArrayObject(CompilerConstraintList* constraints, MDefinition* def)
+{
+    MOZ_ASSERT(def->type() == MIRType_Object);
+
+    TemporaryTypeSet* types = def->resultTypeSet();
+    if (!types)
+        return false;
+
+    return types->forAllClasses(constraints, IsTypedArrayClass) ==
+           TemporaryTypeSet::ForAllResult::ALL_TRUE;
+}
+
 IonBuilder::InliningStatus
 IonBuilder::inlineTypedArrayLength(CallInfo& callInfo)
 {
@@ -2132,8 +2145,10 @@ IonBuilder::inlineTypedArrayLength(CallInfo& callInfo)
     if (getInlineReturnType() != MIRType_Int32)
         return InliningStatus_NotInlined;
 
-    // We assume that when calling this function we always
-    // have a TypedArray. The native asserts that as well.
+    // Note that the argument we see here is not necessarily a typed array.
+    // If it's not, this call should be unreachable though.
+    if (!IsTypedArrayObject(constraints(), callInfo.getArg(0)))
+        return InliningStatus_NotInlined;
 
     MInstruction* length = addTypedArrayLength(callInfo.getArg(0));
     current->push(length);
-- 
2.5.0