The VP engineering broke JSOP_NAME! We have to check whether the slot is actually interned and otherwise abort.
The VP engineering broke JSOP_NAME! We have to check whether the slot is actually interned and otherwise abort.
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -2835,16 +2835,19 @@ bool TraceRecorder::record_JSOP_SETNAME(
if (obj != cx->fp->scopeChain || obj != globalObj)
return false;
LIns* obj_ins = get(&l);
uint32 slot;
if (!test_property_cache_direct_slot(obj, obj_ins, slot))
return false;
+ if (!tracker.has(&STOBJ_GET_SLOT(obj, slot)))
+ ABORT_TRACE("JSOP_NAME on non-interned global: save us, upvar!");
+
LIns* r_ins = get(&r);
set(&STOBJ_GET_SLOT(obj, slot), r_ins);
if (cx->fp->regs->pc[JSOP_SETNAME_LENGTH] != JSOP_POP)
stack(-2, r_ins);
return true;
}
--- a/js/src/jstracer.h
+++ b/js/src/jstracer.h
@@ -202,17 +202,17 @@ class TraceRecorder {
void stobj_set_slot(nanojit::LIns* obj_ins, unsigned slot,
nanojit::LIns*& dslots_ins, nanojit::LIns* v_ins);
nanojit::LIns* stobj_get_slot(nanojit::LIns* obj_ins, unsigned slot,
nanojit::LIns*& dslots_ins);
bool native_set(nanojit::LIns* obj_ins, JSScopeProperty* sprop,
nanojit::LIns*& dslots_ins, nanojit::LIns* v_ins);
bool native_get(nanojit::LIns* obj_ins, nanojit::LIns* pobj_ins, JSScopeProperty* sprop,
nanojit::LIns*& dslots_ins, nanojit::LIns*& v_ins);
-
+
bool prop(JSObject* obj, nanojit::LIns* obj_ins, uint32& slot, nanojit::LIns*& v_ins);
bool elem(jsval& l, jsval& r, jsval*& vp, nanojit::LIns*& v_ins, nanojit::LIns*& addr_ins);
bool getProp(JSObject* obj, nanojit::LIns* obj_ins);
bool getProp(jsval& v);
bool getThis(nanojit::LIns*& this_ins);
bool box_jsval(jsval v, nanojit::LIns*& v_ins);