[INFER] Always mark overflows for slowpath incops, bug 646594.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 30 Mar 2011 15:01:31 -0700
changeset 74878 4c4a64cb65824c01ab7cb7859841501336ae6171
parent 74877 cc8882cb4cd454bc319d95657ae662d7551eead7
child 74879 2c9b41f384eaf28a27e2c08c097ca80fc6a12818
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs646594
milestone2.0b13pre
[INFER] Always mark overflows for slowpath incops, bug 646594.
js/src/jsinterp.cpp
js/src/methodjit/StubCalls.cpp
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -4169,17 +4169,17 @@ do_incop:
         ref.setInt32(tmp);
     } else {
         /* We need an extra root for the result. */
         PUSH_NULL();
         if (!js_DoIncDec(cx, cs, &regs.sp[-2], &regs.sp[-1]))
             goto error;
         if (!cx->typeMonitorAssign(obj, id, regs.sp[-1]))
             goto error;
-        if (!regs.sp[-1].isInt32() && !script->typeMonitorOverflow(cx, regs.pc))
+        if (!script->typeMonitorOverflow(cx, regs.pc))
             goto error;
         regs.fp->setAssigning();
         JSBool ok = obj->setProperty(cx, id, &regs.sp[-1], script->strictModeCode);
         regs.fp->clearAssigning();
         if (!ok)
             goto error;
         regs.sp--;
     }
@@ -4243,17 +4243,17 @@ BEGIN_CASE(JSOP_LOCALINC)
         vp->getInt32Ref() = tmp + incr;
         JS_ASSERT(JSOP_INCARG_LENGTH == js_CodeSpec[op].length);
         SKIP_POP_AFTER_SET(JSOP_INCARG_LENGTH, 0);
         PUSH_INT32(tmp + incr2);
     } else {
         PUSH_COPY(*vp);
         if (!js_DoIncDec(cx, &js_CodeSpec[op], &regs.sp[-1], vp))
             goto error;
-        if (!vp->isInt32() && !script->typeMonitorOverflow(cx, regs.pc))
+        if (!script->typeMonitorOverflow(cx, regs.pc))
             goto error;
     }
     len = JSOP_INCARG_LENGTH;
     JS_ASSERT(len == js_CodeSpec[op].length);
     DO_NEXT_OP(len);
 }
 
 BEGIN_CASE(JSOP_THIS)
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@@ -1686,17 +1686,18 @@ ObjIncOp(VMFrame &f, JSObject *obj, jsid
             return false;
         if (POST) {
             ref.setNumber(d);
             d += N;
         } else {
             d += N;
             ref.setNumber(d);
         }
-        if (!v.setNumber(d) && !f.script()->typeMonitorOverflow(cx, f.pc()))
+        v.setNumber(d);
+        if (!f.script()->typeMonitorOverflow(cx, f.pc()))
             return false;
         if (!cx->typeMonitorAssign(obj, id, v))
             return false;
         fp->setAssigning();
         JSBool ok = obj->setProperty(cx, id, &v, strict);
         fp->clearAssigning();
         if (!ok)
             return false;