[INFER] Don't check types with an uninitialized frame on the stack, bug 642985.
authorBrian Hackett <bhackett1024@gmail.com>
Sat, 19 Mar 2011 10:07:21 -0700
changeset 74815 695726698bfe464daee58637fa81df3e6a9c35b9
parent 74814 b6cae337d38dbc449bea261a0c43f917c9faffb8
child 74816 39ec057f7b172cae8e6860a5d46c893ff76e4b25
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs642985
milestone2.0b13pre
[INFER] Don't check types with an uninitialized frame on the stack, bug 642985.
js/src/jit-test/tests/basic/bug642985-1.js
js/src/jit-test/tests/basic/bug642985-2.js
js/src/methodjit/InvokeHelpers.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug642985-1.js
@@ -0,0 +1,23 @@
+gczeal(2);
+function complex(aReal, aImag) {}
+function mandelbrotValueOO (aC, aIterMax) {
+  for (var iter = 0; iter < aIterMax; iter++) {  }
+}
+function f(trace) {
+  const width = 5;
+  const height = 5;
+  const max_iters = 5;
+  var output = [];
+  for (let img_x = 0; img_x < width; img_x++) {
+    for (let img_y = 0; img_y < height; img_y++) {
+      let C = new complex(-2 + (img_x / width) * 3,
+                          -1.5 + (img_y / height) * 3);
+      var res = mandelbrotValueOO(C, max_iters);
+      if (output.length > 0 && complex(5)) {
+      } else {
+        output.push([res, 1]);
+      }
+    }
+  }
+}
+var timenonjit = f(false);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug642985-2.js
@@ -0,0 +1,23 @@
+function f(N)
+{
+        for (var i = 0; i != N; ++i) {
+                var obj1 = {}, obj2 = {};
+                obj1['a'+i] = 0;
+                obj2['b'+i] = 0;
+                for (var repeat = 0;repeat != 2; ++repeat) {
+                        for (var j in obj1) {
+                                for (var k in obj2) {
+                                        gc();
+                                }
+                        }
+                }
+        }
+}
+var array = [function() { f(10); },
+    function(array) { f(50); },
+    function() { propertyIsEnumerable.call(undefined, {}); },
+    ];
+try {
+  for (var i = 0; i != array.length; ++i)
+    array[i]();
+} catch (e) {}
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@@ -300,32 +300,32 @@ stubs::CompileFunction(VMFrame &f, uint3
     /*
      * Since we can only use members set by initCallFrameCallerHalf,
      * we must carefully extract the callee from the nactual.
      */
     JSObject &callee = fp->formalArgsEnd()[-(int(nactual) + 2)].toObject();
     JSFunction *fun = callee.getFunctionPrivate();
     JSScript *script = fun->script();
 
-    CallArgs args(fp->formalArgsEnd() - nactual, nactual);
-    if (!cx->typeMonitorCall(args, fp->isConstructing()))
-        return NULL;
-
     /*
      * FixupArity/RemovePartialFrame expect to be called after the early
      * prologue.
      */
     fp->initCallFrameEarlyPrologue(fun, nactual);
 
     if (nactual != fp->numFormalArgs()) {
         fp = (JSStackFrame *)FixupArity(f, nactual);
         if (!fp)
             return NULL;
     }
 
+    CallArgs args(fp->formalArgs(), fp->numFormalArgs());
+    if (!cx->typeMonitorCall(args, fp->isConstructing()))
+        return NULL;
+
     /* Finish frame initialization. */
     fp->initCallFrameLatePrologue();
 
     /* These would have been initialized by the prologue. */
     f.regs.fp = fp;
     f.regs.sp = fp->base();
     f.regs.pc = script->code;