[INFER] Compiler types should reflect inferred types for JSOP_THIS in scripts which have not executed, bug 684084.

2024-09-13 09:24:08 -07:00 · 2011-09-04 13:33:04 -07:00 · 2011-09-04 13:33:04 -07:00 · 4c2126dce8
commit 4c2126dce8
parent 59c6ee6694
4 changed files with 33 additions and 3 deletions
--- a/js/src/jit-test/tests/jaeger/bug684084.js
+++ b/js/src/jit-test/tests/jaeger/bug684084.js
@ -0,0 +1,7 @@
+// |jit-test| error: TypeError
+function Integer( value, exception ) {
+  try {  } catch ( e ) {  }
+  new (value = this)( this.value );
+  if ( Math.floor(value) != value || isNaN(value) ) {  }
+}
+new Integer( 3, false );
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -2740,9 +2740,8 @@ mjit::Compiler::generateMethod()
          END_CASE(JSOP_UNBRAND)

          BEGIN_CASE(JSOP_UNBRANDTHIS)
-            jsop_this();
-            jsop_unbrand();
-            frame.pop();
+            prepareStubCall(Uses(1));
+            INLINE_STUBCALL(stubs::UnbrandThis, REJOIN_FALLTHROUGH);
          END_CASE(JSOP_UNBRANDTHIS)

          BEGIN_CASE(JSOP_GETGLOBAL)
@ -5577,6 +5576,16 @@ mjit::Compiler::jsop_this()
                stubcc.rejoin(Changes(1));
            }

+            /*
+             * Watch out for an obscure case where we don't know we are pushing
+             * an object: the script has not yet had a 'this' value assigned,
+             * so no pushed 'this' type has been inferred. Don't mark the type
+             * as known in this case, preserving the invariant that compiler
+             * types reflect inferred types.
+             */
+            if (cx->typeInferenceEnabled() && knownPushedType(0) != JSVAL_TYPE_OBJECT)
+                return;
+
            // Now we know that |this| is an object.
            frame.pop();
            frame.learnThisIsObject(type != JSVAL_TYPE_OBJECT);
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@ -2195,6 +2195,19 @@ stubs::Unbrand(VMFrame &f)
        obj->unbrand(f.cx);
 }

+void JS_FASTCALL
+stubs::UnbrandThis(VMFrame &f)
+{
+    if (!ComputeThis(f.cx, f.fp()))
+        THROW();
+    Value &thisv = f.fp()->thisValue();
+    if (!thisv.isObject())
+        return;
+    JSObject *obj = &thisv.toObject();
+    if (obj->isNative())
+        obj->unbrand(f.cx);
+}
+
 void JS_FASTCALL
 stubs::Pos(VMFrame &f)
 {
--- a/js/src/methodjit/StubCalls.h
+++ b/js/src/methodjit/StubCalls.h
@ -200,6 +200,7 @@ JSBool JS_FASTCALL InstanceOf(VMFrame &f);
 void JS_FASTCALL FastInstanceOf(VMFrame &f);
 void JS_FASTCALL ArgCnt(VMFrame &f);
 void JS_FASTCALL Unbrand(VMFrame &f);
+void JS_FASTCALL UnbrandThis(VMFrame &f);

 /*
 * Helper for triggering recompilation should a name read miss a type barrier,