[INFER] Always maintain flags on non-lazy type flags, bug 673715.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 25 Jul 2011 07:13:02 -0700
changeset 76063 3ccf931079419c397420407d4eda196e99123222
parent 76062 8c7adf094b8e51e7cdc55322bce7897502b50c24
child 76064 bf459add722bb0799b73c69b18b7b7f17f4fb778
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
bugs673715
milestone8.0a1
[INFER] Always maintain flags on non-lazy type flags, bug 673715.
js/src/jit-test/tests/basic/bug673715.js
js/src/jsinfer.cpp
js/src/jsinferinlines.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug673715.js
@@ -0,0 +1,10 @@
+function g() {
+    "use strict";
+    for (var i = 0; i < 50; i++)
+        arguments[0];
+    eval("");
+}
+function f() {
+    g.call(arguments);
+}
+f();
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -3934,30 +3934,24 @@ ScriptAnalysis::analyzeTypes(JSContext *
      * we are reanalyzing after a GC.
      */
     TypeResult *result = script->types.dynamicList;
     while (result) {
         pushedTypes(result->offset)->addType(cx, result->type);
         result = result->next;
     }
 
-    if (!script->usesArguments)
+    if (!script->usesArguments || script->createdArgs)
         return;
 
     /*
      * Do additional analysis to determine whether the arguments object in the
      * script can escape.
      */
 
-    if (script->fun->hasLazyType())
-        return;
-
-    if (script->fun->type()->hasAnyFlags(OBJECT_FLAG_CREATED_ARGUMENTS))
-        return;
-
     /*
      * Note: don't check for strict mode code here, even though arguments
      * accesses in such scripts will always be deoptimized. These scripts can
      * have a JSOP_ARGUMENTS in their prologue which the usesArguments check
      * above does not account for. We filter in the interpreter and JITs
      * themselves.
      */
     if (script->fun->isHeavyweight() || cx->compartment->debugMode) {
--- a/js/src/jsinferinlines.h
+++ b/js/src/jsinferinlines.h
@@ -369,20 +369,18 @@ AddTypeProperty(JSContext *cx, TypeObjec
     if (cx->typeInferenceEnabled() && !obj->unknownProperties())
         obj->addPropertyType(cx, name, value);
 }
 
 /* Set one or more dynamic flags on a type object. */
 inline void
 MarkTypeObjectFlags(JSContext *cx, JSObject *obj, TypeObjectFlags flags)
 {
-    if (TrackPropertyTypes(cx, obj, JSID_EMPTY)) {
-        if (!obj->type()->hasAllFlags(flags))
-            obj->type()->setFlags(cx, flags);
-    }
+    if (cx->typeInferenceEnabled() && !obj->hasLazyType() && !obj->type()->hasAllFlags(flags))
+        obj->type()->setFlags(cx, flags);
 }
 
 /*
  * Mark all properties of a type object as unknown. If markSetsUnknown is set,
  * scan the entire compartment and mark all type sets containing it as having
  * an unknown object. This is needed for correctness in dealing with mutable
  * __proto__, which can change the type of an object dynamically.
  */