[INFER] Add dependency on type of pushed value in JSOP_GETGNAME, bug 649261, mark properties redefined with getters/setters as configured, bug 649272.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 12 Apr 2011 08:33:48 -0700
changeset 74931 a4131835b866364816d60729d80f27c294180b1f
parent 74930 c09134c989c8528d88f75221b61943904e923e16
child 74932 440e9b0a41afbc0dc486df51fba261c5b74538dd
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs649261, 649272
milestone2.2a1pre
[INFER] Add dependency on type of pushed value in JSOP_GETGNAME, bug 649261, mark properties redefined with getters/setters as configured, bug 649272.
js/src/jit-test/tests/jaeger/bug649272.js
js/src/jit-test/tests/jaeger/recompile/bug649261.js
js/src/jsobj.cpp
js/src/methodjit/Compiler.cpp
js/src/methodjit/FastBuiltins.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug649272.js
@@ -0,0 +1,4 @@
+function f(x) {return x;}
+x = f(/abc/);
+eval("this.__defineSetter__(\"x\", function(){}); x = 3;");
+eval("var BUGNUMBER = 233483;");
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/recompile/bug649261.js
@@ -0,0 +1,2 @@
+var DESCRIPTION;
+eval("DESCRIPTION += \"Non-character escapes in identifiers negative test.\";");
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -1613,16 +1613,18 @@ js_obj_defineGetter(JSContext *cx, uintN
      */
     Value junk;
     uintN attrs;
     if (!CheckAccess(cx, obj, id, JSACC_WATCH, &junk, &attrs))
         return JS_FALSE;
 
     if (!cx->addTypePropertyId(obj->getType(), id, TYPE_UNKNOWN))
         return JS_FALSE;
+    if (!cx->markTypePropertyConfigured(obj->getType(), id))
+        return false;
 
     vp->setUndefined();
     return obj->defineProperty(cx, id, UndefinedValue(), getter, StrictPropertyStub,
                                JSPROP_ENUMERATE | JSPROP_GETTER | JSPROP_SHARED);
 }
 
 JS_FRIEND_API(JSBool)
 js_obj_defineSetter(JSContext *cx, uintN argc, Value *vp)
@@ -1650,16 +1652,18 @@ js_obj_defineSetter(JSContext *cx, uintN
      */
     Value junk;
     uintN attrs;
     if (!CheckAccess(cx, obj, id, JSACC_WATCH, &junk, &attrs))
         return JS_FALSE;
 
     if (!cx->addTypePropertyId(obj->getType(), id, TYPE_UNKNOWN))
         return JS_FALSE;
+    if (!cx->markTypePropertyConfigured(obj->getType(), id))
+        return false;
 
     vp->setUndefined();
     return obj->defineProperty(cx, id, UndefinedValue(), PropertyStub, setter,
                                JSPROP_ENUMERATE | JSPROP_SETTER | JSPROP_SHARED);
 }
 
 static JSBool
 obj_lookupGetter(JSContext *cx, uintN argc, Value *vp)
@@ -2444,18 +2448,19 @@ static JSBool
 DefineProperty(JSContext *cx, JSObject *obj, const jsid &id, const PropDesc &desc, bool throwError,
                bool *rval)
 {
     if (!cx->addTypePropertyId(obj->getType(), id, desc.value))
         return false;
     if (!desc.get.isUndefined() || !desc.set.isUndefined()) {
         if (!cx->addTypePropertyId(obj->getType(), id, TYPE_UNKNOWN))
             return false;
-    }
-    if (!desc.configurable() || !desc.enumerable() || !desc.writable()) {
+        if (!cx->markTypePropertyConfigured(obj->getType(), id))
+            return false;
+    } else if (!desc.configurable() || !desc.enumerable() || !desc.writable()) {
         if (!cx->markTypePropertyConfigured(obj->getType(), id))
             return false;
     }
 
     if (obj->isArray())
         return DefinePropertyOnArray(cx, obj, id, desc, throwError, rval);
 
     if (obj->getOps()->lookupProperty) {
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -3951,18 +3951,18 @@ mjit::Compiler::inlineScriptedFunction(u
 
     /*
      * For 'this' and arguments which are copies of other entries still in
      * memory, try to get registers now. This will let us carry these entries
      * around loops if possible. (Entries first accessed within the inlined
      * call can't be loop carried).
      */
     frame.tryCopyRegister(origThis, origCallee);
-    for (int i = 0; i < argc; i++)
-        frame.tryCopyRegister(frame.peek(-(i + 1)), origCallee);
+    for (unsigned i = 0; i < argc; i++)
+        frame.tryCopyRegister(frame.peek(-((int)i + 1)), origCallee);
 
     /*
      * If this is a polymorphic callsite, get a register for the callee too.
      * After this, do not touch the register state in the current frame until
      * stubs for all callees have been generated.
      */
     MaybeRegisterID calleeReg;
     if (count > 1) {
@@ -5914,17 +5914,17 @@ mjit::Compiler::jsop_getgname(uint32 ind
             if (!value->isUndefined() && !types->isOwnProperty(cx, true)) {
                 watchGlobalReallocation();
                 RegisterID reg = frame.allocReg();
                 masm.move(ImmPtr(value), reg);
                 frame.push(Address(reg), type, true);
                 return;
             }
         }
-        if (mayPushUndefined(0))
+        if (knownPushedType(0) != type)
             type = JSVAL_TYPE_UNKNOWN;
     }
 
 #if defined JS_MONOIC
     jsop_bindgname();
 
     FrameEntry *fe = frame.peek(-1);
     JS_ASSERT(fe->isTypeKnown() && fe->getKnownType() == JSVAL_TYPE_OBJECT);
--- a/js/src/methodjit/FastBuiltins.cpp
+++ b/js/src/methodjit/FastBuiltins.cpp
@@ -344,18 +344,18 @@ mjit::Compiler::inlineNativeFunction(uin
         return Compile_InlineAbort;
 
     JSValueType type = knownPushedType(0);
     JSValueType thisType = thisValue->isTypeKnown()
                            ? thisValue->getKnownType()
                            : JSVAL_TYPE_UNKNOWN;
 
     /* All argument types must be known. */
-    for (int i=0; i<argc; i++) {
-        FrameEntry * arg = frame.peek(-(i+1));
+    for (unsigned i=0; i<argc; i++) {
+        FrameEntry * arg = frame.peek(-((int)i+1));
 
         if (!arg->isTypeKnown())
             return Compile_InlineAbort;
     }
 
     if (argc == 1) {
         FrameEntry *arg = frame.peek(-1);
         JSValueType argType = arg->getKnownType();