Bug 1132770 - Don't omit overrecursion check in scripts with potential scripted getter/setter ICs. r=sunfish

js/src/jit-test/tests/ion/bug1132770.js

@@ -0,0 +1,4 @@
+// |jit-test| error: too much recursion
+Object.defineProperty(this, "x", {set: function() { this.x = 2; }});
+setJitCompilerOption("ion.warmup.trigger", 30);
+x ^= 1;

js/src/jit/Lowering.cpp

@@ -3066,6 +3066,11 @@ LIRGenerator::visitGetNameCache(MGetNameCache *ins)
 {
     MOZ_ASSERT(ins->scopeObj()->type() == MIRType_Object);
 
+    // Set the performs-call flag so that we don't omit the overrecursed check.
+    // This is necessary because the cache can attach a scripted getter stub
+    // that calls this script recursively.
+    gen->setPerformsCall();
+
     LGetNameCache *lir = new(alloc()) LGetNameCache(useRegister(ins->scopeObj()));
     defineBox(lir, ins);
     assignSafepoint(lir, ins);
@@ -3083,6 +3088,14 @@ void
 LIRGenerator::visitGetPropertyCache(MGetPropertyCache *ins)
 {
     MOZ_ASSERT(ins->object()->type() == MIRType_Object);
+
+    if (ins->monitoredResult()) {
+        // Set the performs-call flag so that we don't omit the overrecursed
+        // check. This is necessary because the cache can attach a scripted
+        // getter stub that calls this script recursively.
+        gen->setPerformsCall();
+    }
+
     if (ins->type() == MIRType_Value) {
         LGetPropertyCacheV *lir = new(alloc()) LGetPropertyCacheV(useRegister(ins->object()));
         defineBox(lir, ins);
@@ -3313,6 +3326,11 @@ LIRGenerator::visitSetPropertyCache(MSetPropertyCache *ins)
     LUse obj = useRegisterAtStart(ins->object());
     LDefinition slots = tempCopy(ins->object(), 0);
 
+    // Set the performs-call flag so that we don't omit the overrecursed check.
+    // This is necessary because the cache can attach a scripted setter stub
+    // that calls this script recursively.
+    gen->setPerformsCall();
+
     LInstruction *lir;
     if (ins->value()->type() == MIRType_Value) {
         lir = new(alloc()) LSetPropertyCacheV(obj, slots);