Fix JSOP_ARGSUB to abort on frame with arguments object (624547, r=dvander).

2025-02-28 13:21:28 +00:00 · 2011-01-11 12:47:34 -08:00 · 2011-01-11 12:47:34 -08:00 · 740ecbadaf
commit 740ecbadaf
parent 4b39d607a6
3 changed files with 26 additions and 1 deletions
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@ -15342,10 +15342,18 @@ JS_REQUIRES_STACK AbortableRecordingStatus
 TraceRecorder::record_JSOP_ARGSUB()
 {
    JSStackFrame* const fp = cx->fp();
-    if (!fp->fun()->isHeavyweight()) {
+
+    /*
+     * The arguments object or its absence in the frame is part of the typemap,
+     * so a record-time check suffices here. We don't bother tracing ARGSUB in
+     * the case of an arguments object exising, because ARGSUB and to a lesser
+     * extent ARGCNT are emitted to avoid arguments object creation.
+     */
+    if (!fp->hasArgsObj() && !fp->fun()->isHeavyweight()) {
        uintN slot = GET_ARGNO(cx->regs->pc);
        if (slot >= fp->numActualArgs())
            RETURN_STOP_A("can't trace out-of-range arguments");
+
        stack(0, get(&cx->fp()->canonicalActualArg(slot)));
        return ARECORD_CONTINUE;
    }
--- a/js/src/tests/js1_8_5/regress/jstests.list
+++ b/js/src/tests/js1_8_5/regress/jstests.list
@ -77,3 +77,4 @@ script regress-620376-1.js
 script regress-620376-2.js
 script regress-621814.js
 script regress-620750.js
+script regress-624547.js
--- a/js/src/tests/js1_8_5/regress/regress-624547.js
+++ b/js/src/tests/js1_8_5/regress/regress-624547.js
@ -0,0 +1,16 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ */
+
+function f(x) {
+    delete arguments[0];
+    for(var i=0; i<20; i++) {
+        arguments[0] !== undefined;
+    }
+}
+
+/* Don't crash. */
+f(1);
+
+reportCompare(0, 0, "ok");