Bug 857576 - Make sure isOwnProperty() method of the input typeset's single typeobject's property typeset is run before main body of IonBuilder::jsop_getprop method. r=bhackett
authorKannan Vijayan <kvijayan@mozilla.com>
Thu, 04 Apr 2013 11:44:23 -0400
changeset 127670 ede8de979d5cc280b0185f5e0b787771478b0559
parent 127669 cbed4fe28c54ed2dd2bab4c1914cad44bec84597
child 127671 12554c928f609720def90615003c0f04e99086a5
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersbhackett
bugs857576
milestone23.0a1
Bug 857576 - Make sure isOwnProperty() method of the input typeset's single typeobject's property typeset is run before main body of IonBuilder::jsop_getprop method. r=bhackett
js/src/ion/BaselineIC.h
js/src/ion/IonBuilder.cpp
--- a/js/src/ion/BaselineIC.h
+++ b/js/src/ion/BaselineIC.h
@@ -3630,17 +3630,19 @@ class ICGetIntrinsic_Constant : public I
     HeapValue value_;
 
     ICGetIntrinsic_Constant(IonCode *stubCode, HandleValue value)
       : ICStub(GetIntrinsic_Constant, stubCode),
         value_(value)
     {}
 
   public:
-    static inline ICGetIntrinsic_Constant *New(ICStubSpace *space, IonCode *code, HandleValue value) {
+    static inline ICGetIntrinsic_Constant *New(ICStubSpace *space, IonCode *code,
+                                               HandleValue value)
+    {
         if (!code)
             return NULL;
         return space->allocate<ICGetIntrinsic_Constant>(code, value);
     }
 
     HeapValue &value() {
         return value_;
     }
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -6647,16 +6647,21 @@ IonBuilder::storeSlot(MDefinition *obj, 
     return resumeAfter(store);
 }
 
 bool
 IonBuilder::jsop_getprop(HandlePropertyName name)
 {
     RootedId id(cx, NameToId(name));
 
+    // GetDefiniteSlot may cause type information to shift, and it's done inside
+    // getPropTryDefiniteSlot.  Do it here first to ensure that all type info changes
+    // occur before handling the op.
+    GetDefiniteSlot(cx, oracle->unaryTypes(script(), pc).inTypes, name);
+
     RootedScript scriptRoot(cx, script());
     types::StackTypeSet *barrier = oracle->propertyReadBarrier(scriptRoot, pc);
     types::StackTypeSet *types = oracle->propertyRead(script(), pc);
     TypeOracle::Unary unary = oracle->unaryOp(script(), pc);
     TypeOracle::UnaryTypes uTypes = oracle->unaryTypes(script(), pc);
 
     bool emitted = false;