Bug 472599 - TM: "Assertion failure: JSVAL_IS_INT(STOBJ_GET_SLOT(callee_obj, JSSLOT_PRIVATE))" with __proto__, call, toString. r=gal
authorJeff Walden <jwalden@mit.edu>
Mon, 12 Jan 2009 13:10:09 -0800
changeset 23712 9043aef7fffeca97559372ba24f9a8378aed1789
parent 23711 e557751f1001fb36b4a3bba6d27c823fe31b4d6f
child 23713 fe5c66a876be69b9d3f72090a2560e16d66c0e46
child 23716 8775c279e59c3fbdbf220db6edd9fbf82a3a35de
push id4690
push userrsayre@mozilla.com
push dateThu, 15 Jan 2009 07:42:55 +0000
treeherdermozilla-central@ddfa483fea2a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgal
bugs472599
milestone1.9.2a1pre
Bug 472599 - TM: "Assertion failure: JSVAL_IS_INT(STOBJ_GET_SLOT(callee_obj, JSSLOT_PRIVATE))" with __proto__, call, toString. r=gal
js/src/jstracer.cpp
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -6037,17 +6037,17 @@ TraceRecorder::functionCall(bool constru
     JSStackFrame* fp = cx->fp;
     jsbytecode *pc = fp->regs->pc;
 
     jsval& fval = stackval(0 - (2 + argc));
     JS_ASSERT(&fval >= StackBase(fp));
 
     if (!VALUE_IS_FUNCTION(cx, fval))
         ABORT_TRACE("callee is not a function");
-    
+
     jsval& tval = stackval(0 - (argc + 1));
     LIns* this_ins = get(&tval);
 
     /*
      * If this is NULL, this is a shapeless call. If we observe a shapeless call
      * at recording time, the call at this point will always be shapeless so we
      * can make the decision based on recording-time introspection of this.
      */
@@ -6658,16 +6658,18 @@ JS_REQUIRES_STACK bool
 TraceRecorder::record_JSOP_CALLUPVAR()
 {
     return false;
 }
 
 JS_REQUIRES_STACK bool
 TraceRecorder::guardCallee(jsval& callee)
 {
+    JS_ASSERT(VALUE_IS_FUNCTION(cx, callee));
+
     LIns* exit = snapshot(BRANCH_EXIT);
     JSObject* callee_obj = JSVAL_TO_OBJECT(callee);
     LIns* callee_ins = get(&callee);
 
     /*
      * NB: The following guard guards at runtime that the callee is a
      * function. Even if the given value is an object that doesn't have
      * a private slot, the value we're matching against is not forgeable.
@@ -6790,20 +6792,22 @@ TraceRecorder::record_JSOP_APPLY()
         return record_JSOP_CALL();
 
     /*
      * We don't trace apply and call with a primitive 'this', which is the
      * first positional parameter.
      */
     if (argc > 0 && JSVAL_IS_PRIMITIVE(vp[2]))
         return record_JSOP_CALL();
-    
+
     /*
      * Guard on the identity of this, which is the function we are applying.
      */
+    if (!VALUE_IS_FUNCTION(cx, vp[1]))
+        ABORT_TRACE("callee is not a function");
     if (!guardCallee(vp[1]))
         return false;
 
     if (apply && argc >= 2) {
         if (argc != 2)
             ABORT_TRACE("apply with excess arguments");
         if (JSVAL_IS_PRIMITIVE(vp[3]))
             ABORT_TRACE("arguments parameter of apply is primitive");