Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-17 22:32:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 870478 - Baseline Call_Scripted stub uses untraced this-value. r=terrence

Browse Source
This commit is contained in:
Kannan Vijayan 2013-05-14 12:23:34 -04:00
parent 968ce4b78d
commit bb24402b54
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
js/src/ion/BaselineIC.cpp
View File

@ -7178,8 +7178,23 @@ ICCallScriptedCompiler::generateStubCode(MacroAssembler &masm)
Label skipThisReplace;
masm.branchTestObject(Assembler::Equal, JSReturnOperand, &skipThisReplace);
Register scratchReg = JSReturnOperand.scratchReg();
// Current stack: [ ARGVALS..., ThisVal, ActualArgc, Callee, Descriptor ]
masm.loadValue(Address(BaselineStackReg, 3*sizeof(size_t)), JSReturnOperand);
// However, we can't use this ThisVal, because it hasn't been traced. We need to use
// The ThisVal higher up the stack:
// Current stack: [ ThisVal, ARGVALS..., ...STUB FRAME...,
// ARGVALS..., ThisVal, ActualArgc, Callee, Descriptor ]
masm.loadPtr(Address(BaselineStackReg, 2*sizeof(size_t)), scratchReg);
// scratchReg now contains actualArgCount. Double it to account for skipping past two
// pushed copies of argument values. Additionally, we need to add:
// STUB_FRAME_SIZE + sizeof(ThisVal) + sizeof(size_t) + sizeof(void *) + sizoef(size_t)
// for: stub frame, this value, actual argc, callee, and descriptor
masm.lshiftPtr(Imm32(1), scratchReg);
BaseIndex reloadThisSlot(BaselineStackReg, scratchReg, TimesEight,
STUB_FRAME_SIZE + sizeof(Value) + 3*sizeof(size_t));
masm.loadValue(reloadThisSlot, JSReturnOperand);
#ifdef DEBUG
masm.branchTestObject(Assembler::Equal, JSReturnOperand, &skipThisReplace);
masm.breakpoint();