[INFER] Analyze JSOP_ENUMCONSTELEM, bug 639807.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 08 Mar 2011 13:34:47 -0800
changeset 74737 adc45b0a01c8c5b9f56e2fcc237ae101aaba27c0
parent 74736 738bc64ae77d0908ef4b009e39c4133ae324b4c4
child 74738 f2fdb87d75a358ad7902e841ba95dd4a0e92dc2a
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs639807
milestone2.0b12pre
[INFER] Analyze JSOP_ENUMCONSTELEM, bug 639807.
js/src/jit-test/tests/basic/bug639807.js
js/src/jsinfer.cpp
js/src/jsinterp.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug639807.js
@@ -0,0 +1,4 @@
+
+try {
+  eval("const[]=*,[x]=r")
+} catch (e) {}
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -1989,16 +1989,17 @@ TypeCompartment::monitorBytecode(JSConte
       case JSOP_SETPROP:
       case JSOP_SETMETHOD:
       case JSOP_INITPROP:
       case JSOP_INITMETHOD:
       case JSOP_FORPROP:
       case JSOP_FORNAME:
       case JSOP_FORGNAME:
       case JSOP_ENUMELEM:
+      case JSOP_ENUMCONSTELEM:
       case JSOP_DEFFUN:
       case JSOP_DEFFUN_FC:
       case JSOP_ARRAYPUSH:
         break;
       case JSOP_INCNAME:
       case JSOP_DECNAME:
       case JSOP_NAMEINC:
       case JSOP_NAMEDEC:
@@ -3067,16 +3068,17 @@ AnalyzeBytecode(JSContext *cx, AnalyzeSt
 
       case JSOP_FORELEM:
         state.popped(0).types->addSubset(cx, script, &pushed[0]);
         pushed[1].addType(cx, TYPE_UNKNOWN);
         break;
 
       case JSOP_FORPROP:
       case JSOP_ENUMELEM:
+      case JSOP_ENUMCONSTELEM:
         cx->compartment->types.monitorBytecode(cx, script, offset);
         break;
 
       case JSOP_ARRAYPUSH: {
         TypeSet *types = state.stack[GET_SLOTNO(pc) - script->nfixed].types;
         types->addSetProperty(cx, script, pc, state.popped(0).types, JSID_VOID);
         break;
       }
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -3404,16 +3404,18 @@ END_SET_CASE(JSOP_SETCONST);
 #if JS_HAS_DESTRUCTURING
 BEGIN_CASE(JSOP_ENUMCONSTELEM)
 {
     const Value &ref = regs.sp[-3];
     JSObject *obj;
     FETCH_OBJECT(cx, -2, obj);
     jsid id;
     FETCH_ELEMENT_ID(obj, -1, id);
+    if (!cx->typeMonitorAssign(obj, id, ref))
+        goto error;
     if (!obj->defineProperty(cx, id, ref,
                              PropertyStub, StrictPropertyStub,
                              JSPROP_ENUMERATE | JSPROP_PERMANENT | JSPROP_READONLY)) {
         goto error;
     }
     regs.sp -= 3;
 }
 END_CASE(JSOP_ENUMCONSTELEM)