Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-08 04:27:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 606141. ArrayCompPush can deep-bail, so handle that. r=jorendorff

Browse Source
This commit is contained in:
Boris Zbarsky 2010-11-04 16:37:44 -04:00
parent 24924abd15
commit 5095339b06
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
js/src/jsarray.cpp
View File

@ -2001,10 +2001,15 @@ js_ArrayCompPush(JSContext *cx, JSObject *obj, const Value &vp)
JSBool JS_FASTCALL
js_ArrayCompPush_tn(JSContext *cx, JSObject *obj, ValueArgType v)
{
return ArrayCompPushImpl(cx, obj, ValueArgToConstRef(v));
if (!ArrayCompPushImpl(cx, obj, ValueArgToConstRef(v))) {
SetBuiltinError(cx);
return JS_FALSE;
}
return cx->tracerState->builtinStatus == 0;
}
JS_DEFINE_CALLINFO_3(extern, BOOL, js_ArrayCompPush_tn, CONTEXT, OBJECT, VALUE,
0, nanojit::ACCSET_STORE_ANY)
JS_DEFINE_CALLINFO_3(extern, BOOL_FAIL, js_ArrayCompPush_tn, CONTEXT, OBJECT,
VALUE, 0, nanojit::ACCSET_STORE_ANY)
static JSBool
array_push(JSContext *cx, uintN argc, Value *vp)

7
js/src/jstracer.cpp
View File

@ -15526,9 +15526,12 @@ TraceRecorder::record_JSOP_ARRAYPUSH()
Value &elt = stackval(-1);
LIns *elt_ins = box_value_for_native_call(elt, get(&elt));
enterDeepBailCall();
LIns *args[] = { elt_ins, array_ins, cx_ins };
LIns *ok_ins = w.call(&js_ArrayCompPush_tn_ci, args);
guard(false, w.eqi0(ok_ins), OOM_EXIT);
pendingGuardCondition = w.call(&js_ArrayCompPush_tn_ci, args);
leaveDeepBailCall();
return ARECORD_CONTINUE;
}