Bug 879079 - Fix rooting analysis bugs from calls to ToNumber; r=sfink

--HG-- extra : rebase_source : 98a04e315c9a372864d37447a102960737457aa1
2024-10-24 10:45:42 +00:00 · 2013-06-04 16:14:14 -07:00 · 2013-06-04 16:14:14 -07:00 · 7c14d8cf98
commit 7c14d8cf98
parent 86c57d04d0
4 changed files with 18 additions and 19 deletions
--- a/js/src/ion/BaselineIC.cpp
+++ b/js/src/ion/BaselineIC.cpp
@ -2351,7 +2351,7 @@ DoToNumberFallback(JSContext *cx, ICToNumber_Fallback *stub, HandleValue arg, Mu
 {
    FallbackICSpew(cx, stub, "ToNumber");
    ret.set(arg);
-    return ToNumber(cx, ret.address());
+    return ToNumber(cx, ret);
 }

 typedef bool (*DoToNumberFallbackFn)(JSContext *, ICToNumber_Fallback *, HandleValue, MutableHandleValue);
--- a/js/src/jsnum.cpp
+++ b/js/src/jsnum.cpp
@ -423,24 +423,26 @@ Class NumberObject::class_ = {
 static JSBool
 Number(JSContext *cx, unsigned argc, Value *vp)
 {
-    /* Sample JS_CALLEE before clobbering. */
-    bool isConstructing = IsConstructing(vp);
+    CallArgs args = CallArgsFromVp(argc, vp);

-    if (argc > 0) {
-        if (!ToNumber(cx, &vp[2]))
+    /* Sample JS_CALLEE before clobbering. */
+    bool isConstructing = IsConstructing(args);
+
+    if (args.length() > 0) {
+        if (!ToNumber(cx, args.handleAt(0)))
            return false;
-        vp[0] = vp[2];
+        args.rval().set(args[0]);
    } else {
-        vp[0].setInt32(0);
+        args.rval().setInt32(0);
    }

    if (!isConstructing)
        return true;

-    JSObject *obj = NumberObject::create(cx, vp[0].toNumber());
+    JSObject *obj = NumberObject::create(cx, args.rval().toNumber());
    if (!obj)
        return false;
-    vp->setObject(*obj);
+    args.rval().setObject(*obj);
    return true;
 }

--- a/js/src/jsnum.h
+++ b/js/src/jsnum.h
@ -133,23 +133,20 @@ GetPrefixInteger(JSContext *cx, const jschar *start, const jschar *end, int base

 /* ES5 9.3 ToNumber, overwriting *vp with the appropriate number value. */
 JS_ALWAYS_INLINE bool
-ToNumber(JSContext *cx, Value *vp)
+ToNumber(JSContext *cx, JS::MutableHandleValue vp)
 {
 #ifdef DEBUG
-    {
-        SkipRoot skip(cx, vp);
-        MaybeCheckStackRoots(cx);
-    }
+    MaybeCheckStackRoots(cx);
 #endif

-    if (vp->isNumber())
+    if (vp.isNumber())
        return true;
    double d;
-    extern bool ToNumberSlow(JSContext *cx, js::Value v, double *dp);
-    if (!ToNumberSlow(cx, *vp, &d))
+    extern bool ToNumberSlow(JSContext *cx, Value v, double *dp);
+    if (!ToNumberSlow(cx, vp, &d))
        return false;

-    vp->setNumber(d);
+    vp.setNumber(d);
    return true;
 }

--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@ -2019,7 +2019,7 @@ BEGIN_CASE(JSOP_NEG)
 END_CASE(JSOP_NEG)

 BEGIN_CASE(JSOP_POS)
-    if (!ToNumber(cx, &regs.sp[-1]))
+    if (!ToNumber(cx, MutableHandleValue::fromMarkedLocation(&regs.sp[-1])))
        goto error;
    if (!regs.sp[-1].isInt32())
        TypeScript::MonitorOverflow(cx, script, regs.pc);