mozilla-central: changeset 60248:423d37840edf794d81092bacd609fcbcc46705aa

author	Tom Schuster <evilpies@gmail.com>
	Fri, 07 Jan 2011 14:30:10 -0800
changeset 60248	423d37840edf794d81092bacd609fcbcc46705aa
parent 60247	d8586631c5f07e5a92c1406cd46bf2580a47ee70
child 60249	c55afda0470fd26369c20e89db3cbfb5ffd30ace
push id	17896
push user	cleary@mozilla.com
push date	Sat, 08 Jan 2011 08:51:06 +0000
treeherder	mozilla-central@df3c1150dd7a [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	dvander
bugs	623474
milestone	2.0b9pre
first release with	nightly linux32 4a3866321a14 / 4.0b9pre / 20110109030350 / files nightly linux64 4a3866321a14 / 4.0b9pre / 20110109030350 / files nightly mac 4a3866321a14 / 4.0b9pre / 20110109030350 / files nightly win32 4a3866321a14 / 4.0b9pre / 20110109030350 / files nightly win64 6d621e3fc42e / 4.0b10pre / 20110112074539 / files
last release without	nightly linux32 f93c5678d642 / 4.0b9pre / 20110107030356 / files nightly linux64 f93c5678d642 / 4.0b9pre / 20110107030356 / files nightly mac f93c5678d642 / 4.0b9pre / 20110107030356 / files nightly win32 f93c5678d642 / 4.0b9pre / 20110107030356 / files nightly win64 9be0e81cb86e / 4.0b9pre / 20110106045701 / files

new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug623474.js
@@ -0,0 +1,10 @@
+for (var j=0;j<2;++j) { (function(o){o.length})(String.prototype); }
+
+for each(let y in [Number, Number]) {
+    try {
+        "".length()
+    } catch(e) {}
+}
+
+/* Don't crash. */
+

--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -900,18 +900,19 @@ class GetPropCompiler : public PICStubCo
         return Lookup_Cacheable;
     }
 
     LookupStatus generateStringObjLengthStub()
     {
         Assembler masm;
 
         Jump notStringObj = masm.testObjClass(Assembler::NotEqual, pic.objReg, obj->getClass());
-        masm.loadPayload(Address(pic.objReg, JSObject::getFixedSlotOffset(
-                         JSObject::JSSLOT_PRIMITIVE_THIS)), pic.objReg);
+        masm.loadPtr(Address(pic.objReg, offsetof(JSObject, slots)), pic.objReg);
+        masm.loadPayload(Address(pic.objReg, JSObject::JSSLOT_PRIMITIVE_THIS * sizeof(Value)),
+                         pic.objReg);
         masm.loadPtr(Address(pic.objReg, JSString::offsetOfLengthAndFlags()), pic.objReg);
         masm.urshift32(Imm32(JSString::LENGTH_SHIFT), pic.objReg);
         masm.move(ImmType(JSVAL_TYPE_INT32), pic.shapeReg);
         Jump done = masm.jump();
 
         PICLinker buffer(masm, pic);
         if (!buffer.init(cx))
             return error();

js/src/jit-test/tests/jaeger/bug623474.js		file \| annotate \| diff \| comparison \| revisions
js/src/methodjit/PolyIC.cpp		file \| annotate \| diff \| comparison \| revisions