[INFER] Analyze SETCONST on unknown objects, bug 639797.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 08 Mar 2011 12:51:55 -0800
changeset 74736 738bc64ae77d0908ef4b009e39c4133ae324b4c4
parent 74735 75d5794ab88aed10db068961350d160e6d4bb929
child 74737 adc45b0a01c8c5b9f56e2fcc237ae101aaba27c0
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs639797
milestone2.0b12pre
[INFER] Analyze SETCONST on unknown objects, bug 639797.
js/src/jit-test/tests/basic/bug639797.js
js/src/jsinfer.cpp
js/src/methodjit/StubCalls.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug639797.js
@@ -0,0 +1,1 @@
+Function("with([])const x=0")()
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -1979,16 +1979,17 @@ TypeCompartment::monitorBytecode(JSConte
      * target of the set/call could be statically unknown, and mark the bytecode
      * results as unknown.
      */
     JSOp op = JSOp(script->code[offset]);
     switch (op) {
       case JSOP_SETNAME:
       case JSOP_SETGNAME:
       case JSOP_SETXMLNAME:
+      case JSOP_SETCONST:
       case JSOP_SETELEM:
       case JSOP_SETPROP:
       case JSOP_SETMETHOD:
       case JSOP_INITPROP:
       case JSOP_INITMETHOD:
       case JSOP_FORPROP:
       case JSOP_FORNAME:
       case JSOP_FORGNAME:
@@ -2616,16 +2617,17 @@ AnalyzeBytecode(JSContext *cx, AnalyzeSt
         jsid id = GetAtomId(cx, script, pc, 0);
         PropertyAccess(cx, script, pc, script->getGlobalType(),
                        true, state.popped(0).types, id);
         state.popped(0).types->addSubset(cx, script, &pushed[0]);
         break;
       }
 
       case JSOP_SETNAME:
+      case JSOP_SETCONST:
         cx->compartment->types.monitorBytecode(cx, script, offset);
         state.popped(0).types->addSubset(cx, script, &pushed[0]);
         break;
 
       case JSOP_GETXPROP:
         pushed[0].addType(cx, TYPE_UNKNOWN);
         break;
 
@@ -2641,26 +2643,16 @@ AnalyzeBytecode(JSContext *cx, AnalyzeSt
 
       case JSOP_INCNAME:
       case JSOP_DECNAME:
       case JSOP_NAMEINC:
       case JSOP_NAMEDEC:
         cx->compartment->types.monitorBytecode(cx, script, offset);
         break;
 
-      case JSOP_SETCONST: {
-        jsid id = GetAtomId(cx, script, pc, 0);
-        TypeSet *types = script->getGlobalType()->getProperty(cx, id, true);
-        if (!types)
-            return false;
-        state.popped(0).types->addSubset(cx, script, types);
-        state.popped(0).types->addSubset(cx, script, &pushed[0]);
-        break;
-      }
-
       case JSOP_GETFCSLOT:
       case JSOP_CALLFCSLOT: {
         unsigned index = GET_UINT16(pc);
         TypeSet *types = script->upvarTypes(index);
         types->addSubset(cx, script, &pushed[0]);
         if (op == JSOP_CALLFCSLOT)
             pushed[1].addType(cx, TYPE_UNDEFINED);
         break;
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@@ -2748,16 +2748,20 @@ stubs::DefVarOrConst(VMFrame &f, JSAtom 
 void JS_FASTCALL
 stubs::SetConst(VMFrame &f, JSAtom *atom)
 {
     JSContext *cx = f.cx;
     JSStackFrame *fp = f.fp();
 
     JSObject *obj = &fp->varobj(cx);
     const Value &ref = f.regs.sp[-1];
+
+    if (!cx->typeMonitorAssign(obj, ATOM_TO_JSID(atom), ref))
+        THROW();
+
     if (!obj->defineProperty(cx, ATOM_TO_JSID(atom), ref,
                              PropertyStub, StrictPropertyStub,
                              JSPROP_ENUMERATE | JSPROP_PERMANENT | JSPROP_READONLY)) {
         THROW();
     }
 }
 
 JSBool JS_FASTCALL