Bug 762450 - Access the canonical formal argument location on jit rejoin path (r=bhackett)

--HG-- extra : rebase_source : 520885f21382f0ca2fc9aeff34f248cba1af7b39
2024-09-13 09:24:08 -07:00 · 2012-06-07 15:05:40 -07:00 · 2012-06-07 15:05:40 -07:00 · 2122a154f9
commit 2122a154f9
parent d8e8691a41
3 changed files with 16 additions and 7 deletions
--- a/js/src/jit-test/tests/basic/testBug762450.js
+++ b/js/src/jit-test/tests/basic/testBug762450.js
@ -0,0 +1,7 @@
+function f(a, b, c) {
+    arguments[0] = 3;
+    return (c--) + 1;
+}
+var r = f();
+print(r);
+assertEq(r !== r, true);
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@ -821,7 +821,7 @@ DoIncDec(JSContext *cx, JSScript *script, jsbytecode *pc, const Value &v, Value
    }

    double d;
-    if (!ToNumber(cx, *slot, &d))
+    if (!ToNumber(cx, v, &d))
        return false;

    double sum = d + (cs.format & JOF_INC ? 1 : -1);
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@ -691,11 +691,6 @@ FinishVarIncOp(VMFrame &f, RejoinState rejoin, Value ov, Value nv, Value *vp)
              op == JSOP_ARGDEC || op == JSOP_DECARG);
    const JSCodeSpec *cs = &js_CodeSpec[op];

-    unsigned i = GET_SLOTNO(f.pc());
-    Value *var = (JOF_TYPE(cs->format) == JOF_LOCAL)
-                 ? &f.fp()->unaliasedLocal(i)
-                 : &f.fp()->unaliasedFormal(i);
-
    if (rejoin == REJOIN_POS) {
        double d = ov.toNumber();
        double N = (cs->format & JOF_INC) ? 1 : -1;
@ -703,7 +698,14 @@ FinishVarIncOp(VMFrame &f, RejoinState rejoin, Value ov, Value nv, Value *vp)
            types::TypeScript::MonitorOverflow(cx, f.script(), f.pc());
    }

-    *var = nv;
+    unsigned i = GET_SLOTNO(f.pc());
+    if (JOF_TYPE(cs->format) == JOF_LOCAL)
+        f.fp()->unaliasedLocal(i) = nv;
+    else if (f.fp()->script()->argsObjAliasesFormals())
+        f.fp()->argsObj().setArg(i, nv);
+    else
+        f.fp()->unaliasedFormal(i) = nv;
+
    *vp = (cs->format & JOF_POST) ? ov : nv;
 }