Bug 632901 - TM: crash when assigning to function.arguments. r=dvander.

This commit is contained in:
Nicholas Nethercote 2011-02-17 14:31:52 -08:00
parent 7032e92ee5
commit 7ce1ece928
3 changed files with 29 additions and 5 deletions

View File

@ -0,0 +1,9 @@
// don't crash when tracing
function f(o) {
var prop = "arguments";
f[prop] = f[prop];
}
for(var i=0; i<10; i++) {
f();
}

View File

@ -10328,7 +10328,7 @@ class BoxArg
* argument values into the object as properties in case it is used after
* this frame returns.
*/
JS_REQUIRES_STACK void
JS_REQUIRES_STACK AbortableRecordingStatus
TraceRecorder::putActivationObjects()
{
JSStackFrame *const fp = cx->fp();
@ -10336,7 +10336,20 @@ TraceRecorder::putActivationObjects()
bool have_call = fp->isFunctionFrame() && fp->fun()->isHeavyweight();
if (!have_args && !have_call)
return;
return ARECORD_CONTINUE;
if (have_args && !fp->script()->usesArguments) {
/*
* have_args is true, so |arguments| has been accessed, but
* usesArguments is false, so there's no statically visible access.
* It must have been a dodgy access like |f["arguments"]|; just
* abort. (In the case where the record-time property name is not
* "arguments" but a later run-time property name is, we wouldn't have
* emitted the call to js_PutArgumentsOnTrace(), and js_GetArgsValue()
* will deep bail asking for the top JSStackFrame.)
*/
RETURN_STOP_A("dodgy arguments access");
}
uintN nformal = fp->numFormalArgs();
uintN nactual = fp->numActualArgs();
@ -10380,6 +10393,8 @@ TraceRecorder::putActivationObjects()
w.nameImmi(fp->numFormalArgs()), scopeChain_ins, cx_ins };
w.call(&js_PutCallObjectOnTrace_ci, args);
}
return ARECORD_CONTINUE;
}
JS_REQUIRES_STACK AbortableRecordingStatus
@ -10572,7 +10587,7 @@ TraceRecorder::record_JSOP_RETURN()
return endLoop();
}
putActivationObjects();
CHECK_STATUS_A(putActivationObjects());
if (Probes::callTrackingActive(cx)) {
LIns* args[] = { w.immi(0), w.nameImmpNonGC(cx->fp()->fun()), cx_ins };
@ -16219,7 +16234,7 @@ TraceRecorder::record_JSOP_STOP()
return ARECORD_CONTINUE;
}
putActivationObjects();
CHECK_STATUS_A(putActivationObjects());
if (Probes::callTrackingActive(cx)) {
LIns* args[] = { w.immi(0), w.nameImmpNonGC(cx->fp()->fun()), cx_ins };

View File

@ -1482,7 +1482,7 @@ class TraceRecorder
VMSideExit* exit);
JS_REQUIRES_STACK RecordingStatus guardNativeConversion(Value& v);
JS_REQUIRES_STACK void clearReturningFrameFromNativeTracker();
JS_REQUIRES_STACK void putActivationObjects();
JS_REQUIRES_STACK AbortableRecordingStatus putActivationObjects();
JS_REQUIRES_STACK RecordingStatus createThis(JSObject& ctor, nanojit::LIns* ctor_ins,
nanojit::LIns** thisobj_insp);
JS_REQUIRES_STACK RecordingStatus guardCallee(Value& callee);