[INFER] Fix uses of FrameEntrys from tracker >= sp, bug 640614.
authorBrian Hackett <bhackett1024@gmail.com>
Thu, 10 Mar 2011 12:17:19 -0800
changeset 74753 154ac7e67f8ba21472334a2e6b03f803023987b3
parent 74752 af764018d6f7e354fb7bedc68cdc79909cdb00e7
child 74754 80c5a1b0d8d612821165036b59130903fda11ac3
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs640614
milestone2.0b13pre
[INFER] Fix uses of FrameEntrys from tracker >= sp, bug 640614.
js/src/jit-test/tests/jaeger/bug640614.js
js/src/methodjit/FrameState.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug640614.js
@@ -0,0 +1,5 @@
+function f(x) {
+    x = 2 ^ x++;
+    if (x) {}
+}
+f(1.1);
--- a/js/src/methodjit/FrameState.cpp
+++ b/js/src/methodjit/FrameState.cpp
@@ -1671,17 +1671,17 @@ FrameState::ensureDouble(FrameEntry *fe)
     if (fe->isCopy()) {
         /* Forget this entry is a copy.  We are converting this entry, not the backing. */
         backing = fe->copyOf();
         fe->clear();
     } else if (fe->isCopied()) {
         /* Sync and forget any copies of this entry. */
         for (uint32 i = fe->trackerIndex() + 1; i < tracker.nentries; i++) {
             FrameEntry *nfe = tracker[i];
-            if (nfe->isCopy() && nfe->copyOf() == fe) {
+            if (nfe < sp && nfe->isCopy() && nfe->copyOf() == fe) {
                 syncFe(nfe);
                 nfe->resetSynced();
             }
         }
     }
 
     FPRegisterID fpreg = allocFPReg();
 
@@ -1908,17 +1908,17 @@ FrameState::uncopy(FrameEntry *original)
 
 bool
 FrameState::hasOnlyCopy(FrameEntry *backing, FrameEntry *fe)
 {
     JS_ASSERT(backing->isCopied() && fe->copyOf() == backing);
 
     for (uint32 i = backing->trackerIndex() + 1; i < tracker.nentries; i++) {
         FrameEntry *nfe = tracker[i];
-        if (nfe != fe && nfe->isCopy() && nfe->copyOf() == backing)
+        if (nfe != fe && nfe < sp && nfe->isCopy() && nfe->copyOf() == backing)
             return false;
     }
 
     return true;
 }
 
 void
 FrameState::storeLocal(uint32 n, JSValueType type, types::TypeSet *typeSet,