[INFER] Don't attach property stubs to GETELEMs fetching stringified integer indexes, bug 677019.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 09 Aug 2011 18:18:58 -0700
changeset 76107 0a6ba466113f09af2959d0daaf641257e0283c8e
parent 76106 ee83fdb84214054ed055d13773b671acd66a182b
child 76108 8a7510ed55aa4d4034204395dc96a04da027e949
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
bugs677019
milestone8.0a1
[INFER] Don't attach property stubs to GETELEMs fetching stringified integer indexes, bug 677019.
js/src/methodjit/PolyIC.cpp
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -2713,17 +2713,23 @@ GetElementIC::attachTypedArray(JSContext
 
     return Lookup_Cacheable;
 }
 #endif /* JS_METHODJIT_TYPED_ARRAY */
 
 LookupStatus
 GetElementIC::update(VMFrame &f, JSContext *cx, JSObject *obj, const Value &v, jsid id, Value *vp)
 {
-    if (v.isString())
+    /*
+     * Only treat this as a GETPROP for non-numeric string identifiers. The
+     * GETPROP IC assumes the id has already gone through filtering for string
+     * indexes in the emitter, i.e. js_GetProtoIfDenseArray is only valid to
+     * use when looking up non-integer identifiers.
+     */
+    if (v.isString() && js_CheckForStringIndex(id) == id)
         return attachGetProp(f, cx, obj, v, id, vp);
 
 #if defined JS_METHODJIT_TYPED_ARRAY
     /*
      * Typed array ICs can make stub calls, and need to know which registers
      * are in use and need to be restored after the call. If type inference is
      * enabled then we don't necessarily know the full set of such registers
      * when generating the IC (loop-carried registers may be allocated later),