Bug 747926 - Preserve type tag when overwriting VM stack values (r=bhackett)

2024-09-13 09:24:08 -07:00 · 2012-05-07 10:12:58 -07:00 · 2012-05-07 10:12:58 -07:00 · 76240c5634
commit 76240c5634
parent cc31724901
2 changed files with 20 additions and 3 deletions
--- a/js/src/jit-test/tests/basic/bug747926.js
+++ b/js/src/jit-test/tests/basic/bug747926.js
@ -0,0 +1,12 @@
+a = 'a';
+b = [,];
+exhaustiveSliceTest("exhaustive slice test 1", a);
+print('---');
+exhaustiveSliceTest("exhaustive slice test 2", b);
+function exhaustiveSliceTest(testname, a){
+  x = 0
+  var y = 0;
+  countHeap();
+    for (y=a.length; y + a.length; y--) { print(y);
+					  var b  = a.slice(x,y); }
+}
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@ -484,11 +484,16 @@ StackSpace::markFrameSlots(JSTracer *trc, StackFrame *fp, Value *slotsEnd, jsbyt
    for (Value *vp = slotsBegin; vp < fixedEnd; vp++) {
        uint32_t slot = analyze::LocalSlot(script, vp - slotsBegin);

-        /* Will this slot be synced by the JIT? */
+        /*
+         * Will this slot be synced by the JIT? If not, replace with a dummy
+         * value with the same type tag.
+         */
        if (!analysis->trackSlot(slot) || analysis->liveness(slot).live(offset))
            gc::MarkValueRoot(trc, vp, "vm_stack");
-        else
-            *vp = UndefinedValue();
+        else if (vp->isObject())
+            *vp = ObjectValue(fp->scopeChain()->global());
+        else if (vp->isString())
+            *vp = StringValue(trc->runtime->atomState.nullAtom);
    }

    gc::MarkValueRootRange(trc, fixedEnd, slotsEnd, "vm_stack");