Bug 757431 - Fix stack scanning in Splat (r=bhackett)
authorBill McCloskey <wmccloskey@mozilla.com>
Mon, 18 Jun 2012 17:04:52 -0700
changeset 96978 a79fe8932e3f1db22a521fbdaf5e56dfb3ad570b
parent 96977 57054d8b15820f706365ba99711187d8c203d2ce
child 96979 84af366e007ff09c07fd96deddbf9e08b61a4341
push id22949
push useremorley@mozilla.com
push dateTue, 19 Jun 2012 08:15:37 +0000
treeherdermozilla-central@19bfe36cace8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs757431
milestone16.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 757431 - Fix stack scanning in Splat (r=bhackett)
js/src/jit-test/tests/basic/bug757431.js
js/src/methodjit/MonoIC.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug757431.js
@@ -0,0 +1,18 @@
+
+function setterFunction(v) { called = true; }
+function getterFunction(v) { return "getter"; }
+Object.defineProperty(Array.prototype, 1,{ 
+  get: getterFunction, 
+  set: setterFunction 
+});
+gczeal(4);
+var N = 350;
+var source = "".concat(
+  repeat_str("try { f(); } finally {\n", N),
+  repeat_str("}", N));
+function repeat_str(str, repeat_count) {
+  var arr = new Array(--repeat_count);
+  while (repeat_count != 0)
+    arr[--repeat_count] = str;
+  return str.concat.apply(str, arr);
+}
--- a/js/src/methodjit/MonoIC.cpp
+++ b/js/src/methodjit/MonoIC.cpp
@@ -1,36 +1,41 @@
 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
  * vim: set ts=4 sw=4 et tw=99:
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "jsscope.h"
+
+#include "jscntxt.h"
 #include "jsnum.h"
-#include "MonoIC.h"
-#include "StubCalls.h"
-#include "StubCalls-inl.h"
+#include "jsobj.h"
+#include "jsscope.h"
+
 #include "assembler/assembler/LinkBuffer.h"
 #include "assembler/assembler/MacroAssembler.h"
 #include "assembler/assembler/CodeLocation.h"
+
 #include "methodjit/CodeGenIncludes.h"
 #include "methodjit/Compiler.h"
 #include "methodjit/ICRepatcher.h"
+#include "methodjit/InlineFrameAssembler.h"
+#include "methodjit/MonoIC.h"
 #include "methodjit/PolyIC.h"
-#include "InlineFrameAssembler.h"
-#include "jsobj.h"
+#include "methodjit/StubCalls.h"
 
 #include "builtin/RegExp.h"
 
 #include "jsinterpinlines.h"
 #include "jsobjinlines.h"
 #include "jsscopeinlines.h"
 #include "jsscriptinlines.h"
 
+#include "methodjit/StubCalls-inl.h"
+
 using namespace js;
 using namespace js::mjit;
 using namespace js::mjit::ic;
 
 typedef JSC::MacroAssembler::RegisterID RegisterID;
 typedef JSC::MacroAssembler::Address Address;
 typedef JSC::MacroAssembler::Jump Jump;
 typedef JSC::MacroAssembler::Imm32 Imm32;
@@ -1087,18 +1092,23 @@ ic::SplatApplyArgs(VMFrame &f)
     /* Step 6. */
     if (length > StackSpace::ARGS_LENGTH_MAX) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                              JSMSG_TOO_MANY_FUN_APPLY_ARGS);
         THROWV(false);
     }
 
     int delta = length - 1;
-    if (delta > 0 && !BumpStack(f, delta))
-        THROWV(false);
+    if (delta > 0) {
+        if (!BumpStack(f, delta))
+            THROWV(false);
+
+        MakeRangeGCSafe(f.regs.sp, delta);
+    }
+
     f.regs.sp += delta;
 
     /* Steps 7-8. */
     if (!GetElements(cx, aobj, length, f.regs.sp - length))
         THROWV(false);
 
     f.u.call.dynamicArgc = length;
     return true;