Bug 472599 - TM: "Assertion failure: JSVAL_IS_INT(STOBJ_GET_SLOT(callee_obj, JSSLOT_PRIVATE))" with __proto__, call, toString. r=gal

2024-09-13 09:24:08 -07:00 · 2009-01-12 13:10:09 -08:00 · 2009-01-12 13:10:09 -08:00 · ec7f94e0da
commit ec7f94e0da
parent 9408a9add9
1 changed files with 6 additions and 2 deletions
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@ -6042,7 +6042,7 @@ TraceRecorder::functionCall(bool constructing, uintN argc)

    if (!VALUE_IS_FUNCTION(cx, fval))
        ABORT_TRACE("callee is not a function");
-    
+
    jsval& tval = stackval(0 - (argc + 1));
    LIns* this_ins = get(&tval);

@ -6663,6 +6663,8 @@ TraceRecorder::record_JSOP_CALLUPVAR()
 JS_REQUIRES_STACK bool
 TraceRecorder::guardCallee(jsval& callee)
 {
+    JS_ASSERT(VALUE_IS_FUNCTION(cx, callee));
+
    LIns* exit = snapshot(BRANCH_EXIT);
    JSObject* callee_obj = JSVAL_TO_OBJECT(callee);
    LIns* callee_ins = get(&callee);
@ -6795,10 +6797,12 @@ TraceRecorder::record_JSOP_APPLY()
     */
    if (argc > 0 && JSVAL_IS_PRIMITIVE(vp[2]))
        return record_JSOP_CALL();
-    
+
    /*
     * Guard on the identity of this, which is the function we are applying.
     */
+    if (!VALUE_IS_FUNCTION(cx, vp[1]))
+        ABORT_TRACE("callee is not a function");
    if (!guardCallee(vp[1]))
        return false;