[INFER] Fixes for crashtest and jstestbrowser.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 04 Apr 2011 13:06:38 -0700
changeset 74901 013df702176d09a6206b1db08a4ab893ffccc667
parent 74900 a58525f1f4bea5e544972ae39e4ba2ce14d20304
child 74902 83c58db6e5902fc9e2ed0ffba4d5b7ab8104ff43
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
milestone2.2a1pre
[INFER] Fixes for crashtest and jstestbrowser.
js/src/methodjit/Compiler.cpp
js/src/methodjit/FrameState.cpp
js/src/methodjit/Retcon.cpp
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -3254,17 +3254,21 @@ mjit::Compiler::inlineCallHelper(uint32 
         speculatedArgc = 1;
     } else {
         speculatedArgc = callImmArgc;
     }
 
     FrameEntry *origCallee = frame.peek(-(speculatedArgc + 2));
     FrameEntry *origThis = frame.peek(-(speculatedArgc + 1));
 
-    /* 'this' does not need to be synced for constructing. */
+    /*
+     * 'this' does not need to be synced for constructing. :FIXME: is it
+     * possible that one of the arguments is directly copying the 'this'
+     * entry (something like 'new x.f(x)')?
+     */
     if (callingNew)
         frame.discardFe(origThis);
 
     if (!cx->typeInferenceEnabled()) {
         CompileStatus status = callArrayBuiltin(callImmArgc, callingNew);
         if (status != Compile_InlineAbort)
             return status;
     }
--- a/js/src/methodjit/FrameState.cpp
+++ b/js/src/methodjit/FrameState.cpp
@@ -2089,16 +2089,17 @@ FrameState::ownRegForData(FrameEntry *fe
 }
 
 void
 FrameState::discardFe(FrameEntry *fe)
 {
     forgetEntry(fe);
     fe->type.setMemory();
     fe->data.setMemory();
+    fe->clear();
 }
 
 void
 FrameState::pushDouble(FPRegisterID fpreg)
 {
     FrameEntry *fe = rawPush();
     fe->resetUnsynced();
     fe->setType(JSVAL_TYPE_DOUBLE);
--- a/js/src/methodjit/Retcon.cpp
+++ b/js/src/methodjit/Retcon.cpp
@@ -516,17 +516,17 @@ Recompiler::recompile()
     ReleaseScriptCode(cx, script, false);
 
     /*
      * Regenerate the code if there are JIT frames on the stack, if this script
      * has inline parents and thus always needs JIT code, or if it is a newly
      * pushed frame by e.g. the interpreter. :XXX: it would be nice if we could
      * ensure that compiling a script does not then trigger its recompilation.
      */
-    JSStackFrame *top = (cx->fp() && cx->fp()->isScriptFrame()) ? cx->fp() : NULL;
+    JSStackFrame *top = (cx->regs && cx->fp() && cx->fp()->isScriptFrame()) ? cx->fp() : NULL;
     bool keepNormal = !normalFrames.empty() || script->inlineParents ||
         (top && top->script() == script && !top->isConstructing());
     bool keepCtor = !ctorFrames.empty() ||
         (top && top->script() == script && top->isConstructing());
 
     if (keepNormal && !recompile(script, false,
                                  normalFrames, normalPatches, normalSites, normalNatives)) {
         return false;