Censor call object and substitute it with global object in getThis (496325, r=mrbkap).
authorAndreas Gal <gal@mozilla.com>
Thu, 04 Jun 2009 21:04:32 -0700
changeset 28961 6afc57314e7488ed986b06e42759c99731288a31
parent 28960 ea72bb61b70158c8213c576e8565696ae3553b17
child 28962 d0060a58e57da4b19f066f646c7b9e09cdd82beb
push id7347
push userrsayre@mozilla.com
push dateFri, 05 Jun 2009 08:41:32 +0000
treeherdermozilla-central@ae2437e9e9dd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap
bugs496325
milestone1.9.2a1pre
Censor call object and substitute it with global object in getThis (496325, r=mrbkap).
js/src/jstracer.cpp
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -6777,39 +6777,40 @@ TraceRecorder::getThis(LIns*& this_ins)
 
         /*
          * We don't have argv[-1] in global code, so we don't update the tracker here.
          */
         return JSRS_CONTINUE;
     }
 
     jsval& thisv = cx->fp->argv[-1];
+    JS_ASSERT(JSVAL_IS_OBJECT(thisv));
 
     /*
      * Traces type-specialize between null and objects, so if we currently see a null
      * value in argv[-1], this trace will only match if we see null at runtime as well.
      * Bake in the global object as 'this' object, updating the tracker as well. We
      * can only detect this condition prior to calling js_ComputeThisForFrame, since it
      * updates the interpreter's copy of argv[-1].
      */
-    if (JSVAL_IS_NULL(original)) {
+    if (JSVAL_IS_NULL(original) ||
+        guardClass(JSVAL_TO_OBJECT(original), get(&thisv), &js_CallClass, snapshot(BRANCH_EXIT))) {
         JS_ASSERT(!JSVAL_IS_PRIMITIVE(thisv));
         if (thisObj != globalObj)
             ABORT_TRACE("global object was wrapped while recording");
         this_ins = INS_CONSTPTR(thisObj);
         set(&thisv, this_ins);
         return JSRS_CONTINUE;
     }
     this_ins = get(&thisv);
 
     /*
      * The only unwrapped object that needs to be wrapped that we can get here is the
      * global object obtained throught the scope chain.
      */
-    JS_ASSERT(JSVAL_IS_OBJECT(thisv));
     JSObject* obj = js_GetWrappedObject(cx, JSVAL_TO_OBJECT(thisv));
     OBJ_TO_INNER_OBJECT(cx, obj);
     if (!obj)
         return JSRS_ERROR;
 
     JS_ASSERT(original == thisv || original == OBJECT_TO_JSVAL(obj));
     this_ins = lir->ins_choose(lir->ins2(LIR_eq,
                                          this_ins,