Bug 747926 - Preserve type tag when overwriting VM stack values (r=bhackett)
authorBill McCloskey <wmccloskey@mozilla.com>
Mon, 07 May 2012 10:12:58 -0700
changeset 93366 c296a4cfe0d69a42fc1a331053416088d02eab4a
parent 93365 f6f8a9d335fe84460978ab7fb0f88d49e081e02b
child 93367 b627e60ea09b8f14a5c1e9078d6513f90d7f366d
push id9099
push userwmccloskey@mozilla.com
push dateMon, 07 May 2012 17:15:25 +0000
treeherdermozilla-inbound@b627e60ea09b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs747926
milestone15.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 747926 - Preserve type tag when overwriting VM stack values (r=bhackett)
js/src/jit-test/tests/basic/bug747926.js
js/src/vm/Stack.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug747926.js
@@ -0,0 +1,12 @@
+a = 'a';
+b = [,];
+exhaustiveSliceTest("exhaustive slice test 1", a);
+print('---');
+exhaustiveSliceTest("exhaustive slice test 2", b);
+function exhaustiveSliceTest(testname, a){
+  x = 0
+  var y = 0;
+  countHeap();
+    for (y=a.length; y + a.length; y--) { print(y);
+					  var b  = a.slice(x,y); }
+}
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -479,21 +479,26 @@ StackSpace::markFrameSlots(JSTracer *trc
      */
     analyze::AutoEnterAnalysis aea(script->compartment());
     analyze::ScriptAnalysis *analysis = script->analysis();
     uint32_t offset = pc - script->code;
     Value *fixedEnd = slotsBegin + script->nfixed;
     for (Value *vp = slotsBegin; vp < fixedEnd; vp++) {
         uint32_t slot = analyze::LocalSlot(script, vp - slotsBegin);
 
-        /* Will this slot be synced by the JIT? */
+        /*
+         * Will this slot be synced by the JIT? If not, replace with a dummy
+         * value with the same type tag.
+         */
         if (!analysis->trackSlot(slot) || analysis->liveness(slot).live(offset))
             gc::MarkValueRoot(trc, vp, "vm_stack");
-        else
-            *vp = UndefinedValue();
+        else if (vp->isObject())
+            *vp = ObjectValue(fp->scopeChain()->global());
+        else if (vp->isString())
+            *vp = StringValue(trc->runtime->atomState.nullAtom);
     }
 
     gc::MarkValueRootRange(trc, fixedEnd, slotsEnd, "vm_stack");
 }
 
 void
 StackSpace::mark(JSTracer *trc)
 {