Bug 1046597 - Balance stack in failures cases. r=efaust

2024-09-13 09:24:08 -07:00 · 2014-08-01 10:57:23 -07:00 · 2014-08-01 10:57:23 -07:00 · 1d70cc5e69
commit 1d70cc5e69
parent c2d36eb4dd
2 changed files with 17 additions and 5 deletions
--- a/js/src/jit-test/tests/ion/bug1046597.js
+++ b/js/src/jit-test/tests/ion/bug1046597.js
@ -0,0 +1,6 @@
+a = {}
+b = __proto__
+for (i = 0; i < 10; i++) {
+    __proto__ &=  a
+    a.__proto__ = b
+}
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@ -989,13 +989,15 @@ GenerateCallGetter(JSContext *cx, IonScript *ion, MacroAssembler &masm,
    masm.branchPtr(Assembler::NotEqual, Address(object, JSObject::offsetOfShape()),
                   ImmGCPtr(obj->lastProperty()), failures);

-    bool restoreObjReg = false;
    Register scratchReg = output.valueReg().scratchReg();
+    bool spillObjReg = scratchReg == object;
+    Label pop1AndFail;
+    Label *maybePopAndFail = failures;

    // Save off the object register if it aliases the scratchReg
-    if (scratchReg == object) {
+    if (spillObjReg) {
        masm.push(object);
-        restoreObjReg = true;
+        maybePopAndFail = &pop1AndFail;
    }

    // Note: this may clobber the object register if it's used as scratch.
@ -1008,9 +1010,9 @@ GenerateCallGetter(JSContext *cx, IonScript *ion, MacroAssembler &masm,
    masm.branchPtr(Assembler::NotEqual,
                   Address(holderReg, JSObject::offsetOfShape()),
                   ImmGCPtr(holder->lastProperty()),
-                   failures);
+                   maybePopAndFail);

-    if (restoreObjReg)
+    if (spillObjReg)
        masm.pop(object);

    // Now we're good to go to invoke the native call.
@ -1022,6 +1024,10 @@ GenerateCallGetter(JSContext *cx, IonScript *ion, MacroAssembler &masm,
    attacher.jumpRejoin(masm);

    // Jump to next stub.
+    if (spillObjReg) {
+        masm.bind(&pop1AndFail);
+        masm.pop(object);
+    }
    masm.bind(failures);
    attacher.jumpNextStub(masm);