Bug 881461 - Fix INITPROP/INITELEM GETTER/SETTER ops to leave values on the stack for the decompiler. r=bhackett

2024-09-13 09:24:08 -07:00 · 2013-06-13 16:00:35 +02:00 · 2013-06-13 16:00:35 +02:00 · a2afaa46e8
commit a2afaa46e8
parent 8322355ab8
2 changed files with 25 additions and 8 deletions
--- a/js/src/ion/BaselineCompiler.cpp
+++ b/js/src/ion/BaselineCompiler.cpp
@ -1995,17 +1995,23 @@ BaselineCompiler::emitInitPropGetterSetter()
    JS_ASSERT(JSOp(*pc) == JSOP_INITPROP_GETTER ||
              JSOp(*pc) == JSOP_INITPROP_SETTER);

-    // Load value in R0, keep object on the stack.
-    frame.popRegsAndSync(1);
+    // Load value in R0 but keep it on the stack for the decompiler.
+    frame.syncStack(0);
+    masm.loadValue(frame.addressOfStackValue(frame.peek(-1)), R0);
+
    prepareVMCall();

    pushArg(R0);
    pushArg(ImmGCPtr(script->getName(pc)));
-    masm.extractObject(frame.addressOfStackValue(frame.peek(-1)), R0.scratchReg());
+    masm.extractObject(frame.addressOfStackValue(frame.peek(-2)), R0.scratchReg());
    pushArg(R0.scratchReg());
    pushArg(ImmWord(pc));

-    return callVM(InitPropGetterSetterInfo);
+    if (!callVM(InitPropGetterSetterInfo))
+        return false;
+
+    frame.pop();
+    return true;
 }

 bool
@ -2031,17 +2037,25 @@ BaselineCompiler::emitInitElemGetterSetter()
    JS_ASSERT(JSOp(*pc) == JSOP_INITELEM_GETTER ||
              JSOp(*pc) == JSOP_INITELEM_SETTER);

-    // Load index and value in R0 and R1, keep object on the stack.
-    frame.popRegsAndSync(2);
+    // Load index and value in R0 and R1, but keep values on the stack for the
+    // decompiler.
+    frame.syncStack(0);
+    masm.loadValue(frame.addressOfStackValue(frame.peek(-2)), R0);
+    masm.loadValue(frame.addressOfStackValue(frame.peek(-1)), R1);
+
    prepareVMCall();

    pushArg(R1);
    pushArg(R0);
-    masm.extractObject(frame.addressOfStackValue(frame.peek(-1)), R0.scratchReg());
+    masm.extractObject(frame.addressOfStackValue(frame.peek(-3)), R0.scratchReg());
    pushArg(R0.scratchReg());
    pushArg(ImmWord(pc));

-    return callVM(InitElemGetterSetterInfo);
+    if (!callVM(InitElemGetterSetterInfo))
+        return false;
+
+    frame.popn(2);
+    return true;
 }

 bool
--- a/js/src/jit-test/tests/baseline/bug881461.js
+++ b/js/src/jit-test/tests/baseline/bug881461.js
@ -0,0 +1,3 @@
+// |jit-test| error: TypeError
+z = Proxy.create({}, (function(){}));
+({__proto__: z, set c(a) {}});