Bug 738841 - Fix handling of 'this' in methodjit without TI (r=bhackett)

2024-09-13 09:24:08 -07:00 · 2012-03-27 10:54:04 -07:00 · 2012-03-27 10:54:04 -07:00 · d0f06adfac
commit d0f06adfac
parent adf7394c63
3 changed files with 106 additions and 8 deletions
--- a/js/src/jit-test/tests/basic/bug738841.js
+++ b/js/src/jit-test/tests/basic/bug738841.js
@ -0,0 +1,49 @@
 try {
    for (let z = 0; z < 1; ++evalcx("[]", newGlobal("new-compartment"))) {}
 } catch (e) {}
 try {
    for (y in [schedulegc(58)]) {
        b
    }
 } catch (e) {}
 try {
    e
 } catch (e) {}
 try {
    (function() {
        h
    }())
 } catch (e) {}
 try {
    (function() {
        this.m.f = function() {}
    }())
 } catch (e) {}
 try {
    t()
 } catch (e) {}
 try {
    p
 } catch (e) {}
 try {
    gc()
    p
 } catch (e) {}
 try {
    (function() {
        for (var v of m) {}
    }())
 } catch (e) {}
 try {
    m
 } catch (e) {}
 try {
    var f = function() {
        {
            print(new function(q)("", s))
            let u
        }
    };
    dis(f);
    f();
 } catch (e) {}
--- a/js/src/jit-test/tests/basic/bug738846.js
+++ b/js/src/jit-test/tests/basic/bug738846.js
@ -0,0 +1,49 @@
 try {
    (function() {
        var m
        ArrayBuffer()
        var _ = t
        var _2 = []
    }())
 } catch (e) {}
 try {
    for (y in [schedulegc(58)]) {
        m
    }
 } catch (e) {}
 try {
    (function() {
        n.(O)
    }())
 } catch (e) {}
 try {
    (function() {
        s
    }())
 } catch (e) {}
 try {
    e
 } catch (e) {}
 try {
    "" ()
 } catch (e) {}
 try {
    gc()
    s
 } catch (e) {}
 try {
    (function() {
        for (v of m) {}
    }())
 } catch (e) {}
 try {
    t
 } catch (e) {}
 try {
    (function() {
        "use strict";
        print(new function() {
            r
        }(this))
    }())
 } catch (e) {}
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -4122,15 +4122,15 @@ mjit::Compiler::inlineCallHelper(uint32_t callImmArgc, bool callingNew, FrameSiz
        frame.discardFe(origThis);
        /*
-         * If inference is enabled, the 'this' value of the pushed frame always
+         * We store NULL here to ensure that the slot doesn't contain
-         * needs to be coherent. If a GC gets triggered before the callee can
+         * garbage. Additionally, we need to store a non-object value here for
-         * fill in the slot (i.e. the GC happens on constructing the 'new'
+         * TI. If a GC gets triggered before the callee can fill in the slot
-         * object or the call object for a heavyweight callee), it needs to be
+         * (i.e. the GC happens on constructing the 'new' object or the call
-         * able to read the 'this' value to tell whether newScript constraints
+         * object for a heavyweight callee), it needs to be able to read the
-         * will need to be regenerated afterwards.
+         * 'this' value to tell whether newScript constraints will need to be
         * regenerated afterwards.
         */
-        if (cx->typeInferenceEnabled())
+        masm.storeValue(NullValue(), frame.addressOf(origThis));
            masm.storeValue(NullValue(), frame.addressOf(origThis));
    }
    if (!cx->typeInferenceEnabled()) {