Fix layout assumption of condition-less for-loop. (Bug 732861, r=jandem)

2024-09-13 09:24:08 -07:00 · 2012-03-09 10:33:40 -08:00 · 2012-03-09 10:33:40 -08:00 · a90182989f
commit a90182989f
parent 4e09528c6c
1 changed files with 4 additions and 1 deletions
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@ -1779,7 +1779,7 @@ IonBuilder::forLoop(JSOp op, jssrcnote *sn)
    // for loops have the following structures:
    //
    //   NOP or POP
-    //   [GOTO cond]
+    //   [GOTO cond | NOP]
    //   LOOPHEAD
    // body:
    //    ; [body]
@ -1799,6 +1799,9 @@ IonBuilder::forLoop(JSOp op, jssrcnote *sn)
        JS_ASSERT(bodyStart + GetJumpOffset(bodyStart) == condpc);
        bodyStart = GetNextPc(bodyStart);
    } else {
+        // No loop condition, such as for(j = 0; ; j++)
+        JS_ASSERT(JSOp(*bodyStart) == JSOP_NOP);
+        bodyStart = GetNextPc(bodyStart);
        loopEntry = GetNextPc(bodyStart);
    }
    jsbytecode *loopHead = bodyStart;