[INFER] Completely fill in fp->nactual in mjit prologues for scripts which use their arguments, bug 662072.
authorBrian Hackett <bhackett1024@gmail.com>
Sat, 04 Jun 2011 13:45:31 -0700
changeset 75140 6d423e5f2e488bfaa6466ba6be90b0c352f057f9
parent 75139 2b6ec8bc086bc218512f1f3c96fd672110b81c5d
child 75141 51de14efb83c7bd632071ffd7d6b19fc986a5f0f
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs662072
milestone6.0a1
[INFER] Completely fill in fp->nactual in mjit prologues for scripts which use their arguments, bug 662072.
js/src/jit-test/tests/jaeger/bug662072.js
js/src/methodjit/Compiler.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug662072.js
@@ -0,0 +1,7 @@
+(function () {
+    var x;
+    x = arguments.length;
+    return function () {
+        [1][x = arguments.length];
+    };
+}).call().apply();
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -796,18 +796,18 @@ mjit::Compiler::generatePrologue()
              * inspected directly by JIT code, and is not guaranteed to be
              * correct if the UNDERFLOW and OVERFLOW flags are not set.
              */
             Jump hasArgs = masm.branchTest32(Assembler::NonZero, FrameFlagsAddress(),
                                              Imm32(StackFrame::OVERRIDE_ARGS |
                                                    StackFrame::UNDERFLOW_ARGS |
                                                    StackFrame::OVERFLOW_ARGS |
                                                    StackFrame::HAS_ARGS_OBJ));
-            masm.store32(Imm32(script->fun->nargs),
-                         Address(JSFrameReg, StackFrame::offsetOfArgs()));
+            masm.storePtr(ImmPtr((void *) script->fun->nargs),
+                          Address(JSFrameReg, StackFrame::offsetOfArgs()));
             hasArgs.linkTo(masm.label(), &masm);
         }
     }
 
     if (isConstructing)
         constructThis();
 
     if (debugMode() || Probes::callTrackingActive(cx))