Bug 738841 - Fix handling of 'this' in methodjit without TI (r=bhackett)

2024-11-13 23:17:57 +00:00 · 2012-03-27 10:54:04 -07:00 · 2012-03-27 10:54:04 -07:00 · adadd6c9bd
commit adadd6c9bd
parent a5a6b40e88
3 changed files with 106 additions and 8 deletions
--- a/js/src/jit-test/tests/basic/bug738841.js
+++ b/js/src/jit-test/tests/basic/bug738841.js
@ -0,0 +1,49 @@
+try {
+    for (let z = 0; z < 1; ++evalcx("[]", newGlobal("new-compartment"))) {}
+} catch (e) {}
+try {
+    for (y in [schedulegc(58)]) {
+        b
+    }
+} catch (e) {}
+try {
+    e
+} catch (e) {}
+try {
+    (function() {
+        h
+    }())
+} catch (e) {}
+try {
+    (function() {
+        this.m.f = function() {}
+    }())
+} catch (e) {}
+try {
+    t()
+} catch (e) {}
+try {
+    p
+} catch (e) {}
+try {
+    gc()
+    p
+} catch (e) {}
+try {
+    (function() {
+        for (var v of m) {}
+    }())
+} catch (e) {}
+try {
+    m
+} catch (e) {}
+try {
+    var f = function() {
+        {
+            print(new function(q)("", s))
+            let u
+        }
+    };
+    dis(f);
+    f();
+} catch (e) {}
--- a/js/src/jit-test/tests/basic/bug738846.js
+++ b/js/src/jit-test/tests/basic/bug738846.js
@ -0,0 +1,49 @@
+try {
+    (function() {
+        var m
+        ArrayBuffer()
+        var _ = t
+        var _2 = []
+    }())
+} catch (e) {}
+try {
+    for (y in [schedulegc(58)]) {
+        m
+    }
+} catch (e) {}
+try {
+    (function() {
+        n.(O)
+    }())
+} catch (e) {}
+try {
+    (function() {
+        s
+    }())
+} catch (e) {}
+try {
+    e
+} catch (e) {}
+try {
+    "" ()
+} catch (e) {}
+try {
+    gc()
+    s
+} catch (e) {}
+try {
+    (function() {
+        for (v of m) {}
+    }())
+} catch (e) {}
+try {
+    t
+} catch (e) {}
+try {
+    (function() {
+        "use strict";
+        print(new function() {
+            r
+        }(this))
+    }())
+} catch (e) {}
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -4122,15 +4122,15 @@ mjit::Compiler::inlineCallHelper(uint32_t callImmArgc, bool callingNew, FrameSiz
        frame.discardFe(origThis);

        /*
-         * If inference is enabled, the 'this' value of the pushed frame always
-         * needs to be coherent. If a GC gets triggered before the callee can
-         * fill in the slot (i.e. the GC happens on constructing the 'new'
-         * object or the call object for a heavyweight callee), it needs to be
-         * able to read the 'this' value to tell whether newScript constraints
-         * will need to be regenerated afterwards.
+         * We store NULL here to ensure that the slot doesn't contain
+         * garbage. Additionally, we need to store a non-object value here for
+         * TI. If a GC gets triggered before the callee can fill in the slot
+         * (i.e. the GC happens on constructing the 'new' object or the call
+         * object for a heavyweight callee), it needs to be able to read the
+         * 'this' value to tell whether newScript constraints will need to be
+         * regenerated afterwards.
         */
-        if (cx->typeInferenceEnabled())
-            masm.storeValue(NullValue(), frame.addressOf(origThis));
+        masm.storeValue(NullValue(), frame.addressOf(origThis));
    }

    if (!cx->typeInferenceEnabled()) {