From e9c1a8350908f3d7ea979e57862284118b20a56f Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Thu, 19 Feb 2015 13:19:05 +0100
Subject: [PATCH] Bug 1132770 - Don't omit overrecursion check in scripts with
 potential scripted getter/setter ICs. r=sunfish

---
 js/src/jit-test/tests/ion/bug1132770.js |  4 ++++
 js/src/jit/Lowering.cpp                 | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 js/src/jit-test/tests/ion/bug1132770.js

diff --git a/js/src/jit-test/tests/ion/bug1132770.js b/js/src/jit-test/tests/ion/bug1132770.js
new file mode 100644
index 00000000000..51f6a44d6fa
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1132770.js
@@ -0,0 +1,4 @@
+// |jit-test| error: too much recursion
+Object.defineProperty(this, "x", {set: function() { this.x = 2; }});
+setJitCompilerOption("ion.warmup.trigger", 30);
+x ^= 1;
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
index f54d75a2946..d05cbab0859 100644
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@@ -3066,6 +3066,11 @@ LIRGenerator::visitGetNameCache(MGetNameCache *ins)
 {
     MOZ_ASSERT(ins->scopeObj()->type() == MIRType_Object);
 
+    // Set the performs-call flag so that we don't omit the overrecursed check.
+    // This is necessary because the cache can attach a scripted getter stub
+    // that calls this script recursively.
+    gen->setPerformsCall();
+
     LGetNameCache *lir = new(alloc()) LGetNameCache(useRegister(ins->scopeObj()));
     defineBox(lir, ins);
     assignSafepoint(lir, ins);
@@ -3083,6 +3088,14 @@ void
 LIRGenerator::visitGetPropertyCache(MGetPropertyCache *ins)
 {
     MOZ_ASSERT(ins->object()->type() == MIRType_Object);
+
+    if (ins->monitoredResult()) {
+        // Set the performs-call flag so that we don't omit the overrecursed
+        // check. This is necessary because the cache can attach a scripted
+        // getter stub that calls this script recursively.
+        gen->setPerformsCall();
+    }
+
     if (ins->type() == MIRType_Value) {
         LGetPropertyCacheV *lir = new(alloc()) LGetPropertyCacheV(useRegister(ins->object()));
         defineBox(lir, ins);
@@ -3313,6 +3326,11 @@ LIRGenerator::visitSetPropertyCache(MSetPropertyCache *ins)
     LUse obj = useRegisterAtStart(ins->object());
     LDefinition slots = tempCopy(ins->object(), 0);
 
+    // Set the performs-call flag so that we don't omit the overrecursed check.
+    // This is necessary because the cache can attach a scripted setter stub
+    // that calls this script recursively.
+    gen->setPerformsCall();
+
     LInstruction *lir;
     if (ins->value()->type() == MIRType_Value) {
         lir = new(alloc()) LSetPropertyCacheV(obj, slots);