mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-02 10:00:54 +00:00
Bug 506018 - crash in js_GetClosureVar, regression from Trace JSOP_NAME for general closures. r=gal
This commit is contained in:
parent
17888173c0
commit
4ea30adb7c
@ -2117,13 +2117,13 @@ FlushNativeGlobalFrame(JSContext *cx, double *global, unsigned ngslots,
|
||||
}
|
||||
|
||||
/*
|
||||
* Generic function to read upvars on trace.
|
||||
* Generic function to read upvars on trace from slots of active frames.
|
||||
* T Traits type parameter. Must provide static functions:
|
||||
* interp_get(fp, slot) Read the value out of an interpreter frame.
|
||||
* native_slot(argc, slot) Return the position of the desired value in the on-trace
|
||||
* stack frame (with position 0 being callee).
|
||||
*
|
||||
* upvarLevel Static level of the function containing the upvar definition.
|
||||
* upvarLevel Static level of the function containing the upvar definition
|
||||
* slot Identifies the value to get. The meaning is defined by the traits type.
|
||||
* callDepth Call depth of current point relative to trace entry
|
||||
*/
|
||||
@ -2239,15 +2239,27 @@ js_GetUpvarStackOnTrace(JSContext* cx, uint32 upvarLevel, int32 slot, uint32 cal
|
||||
return js_GetUpvarOnTrace<UpvarStackTraits>(cx, upvarLevel, slot, callDepth, result);
|
||||
}
|
||||
|
||||
/*
|
||||
* Generic function to read upvars from Call objects of active heavyweight functions.
|
||||
* callee Callee Function object in which the upvar is accessed.
|
||||
* scopeIndex Number of parent steps to make from |callee| to find upvar definition.
|
||||
* This must be at least 1 because |callee| is a Function and we must reach a Call.
|
||||
* slot Slot in Call object to read.
|
||||
* callDepth callDepth of current point relative to trace entry.
|
||||
*/
|
||||
template<typename T>
|
||||
uint32 JS_INLINE
|
||||
js_GetFromClosure(JSContext* cx, JSObject* inner, uint32 scopeIndex, uint32 slot, uint32 callDepth,
|
||||
js_GetFromClosure(JSContext* cx, JSObject* callee, uint32 scopeIndex, uint32 slot, uint32 callDepth,
|
||||
double* result)
|
||||
{
|
||||
JSObject* call = OBJ_GET_PARENT(cx, inner);
|
||||
for (uint32 i = 0; i < scopeIndex; ++i) {
|
||||
JS_ASSERT(scopeIndex >= 1);
|
||||
JS_ASSERT(OBJ_GET_CLASS(cx, callee) == &js_FunctionClass);
|
||||
JSObject* call = callee;
|
||||
|
||||
for (uint32 i = 0; i < scopeIndex; ++i)
|
||||
call = OBJ_GET_PARENT(cx, call);
|
||||
}
|
||||
|
||||
JS_ASSERT(OBJ_GET_CLASS(cx, call) == &js_CallClass);
|
||||
|
||||
InterpState* state = cx->interpState;
|
||||
FrameInfo** fip = state->rp + callDepth;
|
||||
@ -2293,10 +2305,10 @@ private:
|
||||
};
|
||||
|
||||
uint32 JS_FASTCALL
|
||||
js_GetClosureArg(JSContext* cx, JSObject* inner, uint32 scopeIndex, uint32 slot, uint32 callDepth,
|
||||
js_GetClosureArg(JSContext* cx, JSObject* callee, uint32 scopeIndex, uint32 slot, uint32 callDepth,
|
||||
double* result)
|
||||
{
|
||||
return js_GetFromClosure<ArgClosureTraits>(cx, inner, scopeIndex, slot, callDepth, result);
|
||||
return js_GetFromClosure<ArgClosureTraits>(cx, callee, scopeIndex, slot, callDepth, result);
|
||||
}
|
||||
|
||||
struct VarClosureTraits
|
||||
@ -2308,10 +2320,10 @@ private:
|
||||
};
|
||||
|
||||
uint32 JS_FASTCALL
|
||||
js_GetClosureVar(JSContext* cx, JSObject* inner, uint32 scopeIndex, uint32 slot, uint32 callDepth,
|
||||
js_GetClosureVar(JSContext* cx, JSObject* callee, uint32 scopeIndex, uint32 slot, uint32 callDepth,
|
||||
double* result)
|
||||
{
|
||||
return js_GetFromClosure<VarClosureTraits>(cx, inner, scopeIndex, slot, callDepth, result);
|
||||
return js_GetFromClosure<VarClosureTraits>(cx, callee, scopeIndex, slot, callDepth, result);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -6535,7 +6547,6 @@ TraceRecorder::scopeChainProp(JSObject* obj, jsval*& vp, LIns*& ins, bool& track
|
||||
JSAtom* atom = atoms[GET_INDEX(cx->fp->regs->pc)];
|
||||
JSObject* obj2;
|
||||
JSProperty* prop;
|
||||
JSObject* origobj = obj;
|
||||
if (!js_FindProperty(cx, ATOM_TO_JSID(atom), &obj, &obj2, &prop))
|
||||
ABORT_TRACE_ERROR("error in js_FindProperty");
|
||||
if (!prop)
|
||||
@ -6601,11 +6612,12 @@ TraceRecorder::scopeChainProp(JSObject* obj, jsval*& vp, LIns*& ins, bool& track
|
||||
} else {
|
||||
// Compute number of scope chain links to result.
|
||||
jsint scopeIndex = 0;
|
||||
JSObject* objd = origobj;
|
||||
while (objd != obj) {
|
||||
objd = OBJ_GET_PARENT(cx, objd);
|
||||
JSObject* tmp = JSVAL_TO_OBJECT(cx->fp->argv[-2]);
|
||||
while (tmp != obj) {
|
||||
tmp = OBJ_GET_PARENT(cx, tmp);
|
||||
scopeIndex++;
|
||||
}
|
||||
JS_ASSERT(scopeIndex >= 1);
|
||||
|
||||
LIns* callee_ins = get(&cx->fp->argv[-2]);
|
||||
LIns* outp = lir->insAlloc(sizeof(double));
|
||||
|
Loading…
Reference in New Issue
Block a user