commit ab3c53cbb554b8a6c9a0adbd60ea5415cbd8e511
parent fbdb69897065893a5dc1d75b1686ebec61bf4c20
Author: André Bargull <andre.bargull@gmail.com>
Date: Mon, 6 Oct 2025 09:02:07 +0000
Bug 1991309: Remove overzealous assertions when recovering subarray. r=jandem
The assertion in `TypedArraySubarrayWithLength` was only used to ensure we emit
the necessary species guards to allow inlining `subarray`. These guards can be
violated when recovering `subarray`, though.
Differential Revision: https://phabricator.services.mozilla.com/D267170
Diffstat:
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/js/src/jit-test/tests/typedarray/subarray-scalar-replace-mutate-proto.js b/js/src/jit-test/tests/typedarray/subarray-scalar-replace-mutate-proto.js
@@ -0,0 +1,16 @@
+function mutateProto(i) {
+ with ({});
+ if (i === 100) {
+ Object.setPrototypeOf(Int8Array.prototype, Object.prototype);
+ }
+}
+
+function test(i) {
+ var x = new Int8Array(0).subarray();
+ mutateProto(i);
+ return x.length;
+}
+
+for (var i = 0; i <= 100; ++i) {
+ assertEq(test(i), i < 100 ? 0 : undefined);
+}
diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp
@@ -4257,7 +4257,6 @@ TypedArrayObject* js::TypedArraySubarrayWithLength(
intptr_t length) {
MOZ_ASSERT(!obj->hasDetachedBuffer());
MOZ_ASSERT(!obj->is<ResizableTypedArrayObject>());
- MOZ_ASSERT(HasBuiltinTypedArraySpecies(obj, cx));
MOZ_ASSERT(start >= 0);
MOZ_ASSERT(length >= 0);
MOZ_ASSERT(size_t(start + length) <= obj->length().valueOr(0));
@@ -4304,7 +4303,6 @@ TypedArrayObject* js::TypedArraySubarrayRecover(JSContext* cx,
intptr_t start,
intptr_t length) {
MOZ_ASSERT(!obj->is<ResizableTypedArrayObject>());
- MOZ_ASSERT(HasBuiltinTypedArraySpecies(obj, cx));
MOZ_ASSERT(start >= 0);
MOZ_ASSERT(length >= 0);
