[INFER] Balance stack in decomposed INCELEM emitted for SETCALL, bug 672122. Fix build break.
authorBrian Hackett <bhackett1024@gmail.com>
Thu, 21 Jul 2011 21:12:25 -0700
changeset 76054 b804df6e5d284ef7a92eb91d3a1d213e53a32bc8
parent 76053 36813ba5ea40a40794a342335013a9d927730ad6
child 76055 ed0911cf98f22a79e67d83843e0de6cf8c48aa01
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
bugs672122
milestone8.0a1
[INFER] Balance stack in decomposed INCELEM emitted for SETCALL, bug 672122. Fix build break.
js/src/jit-test/tests/jaeger/bug672122.js
js/src/jsemit.cpp
js/src/xpconnect/src/xpcjsruntime.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug672122.js
@@ -0,0 +1,3 @@
+// |jit-test| error: ReferenceError
+
+if (x) {} else if ((evalcx('lazy'))++) {}
--- a/js/src/jsemit.cpp
+++ b/js/src/jsemit.cpp
@@ -6581,19 +6581,23 @@ js_EmitTree(JSContext *cx, JSCodeGenerat
                                CG_OFFSET(cg) - pn2->pn_offset) < 0) {
                 return JS_FALSE;
             }
             if (js_Emit1(cx, cg, op) < 0)
                 return JS_FALSE;
             if (js_CodeSpec[op].format & JOF_DECOMPOSE) {
                 /*
                  * This is dead code for the decompiler, don't generate
-                 * a decomposed version of the opcode.
+                 * a decomposed version of the opcode. We do need to balance
+                 * the stacks in the decomposed version.
                  */
-                if (js_Emit1(cx, cg, (JSOp)0) < 0)
+                JS_ASSERT(js_CodeSpec[op].format & JOF_ELEM);
+                if (js_Emit1(cx, cg, (JSOp)1) < 0)
+                    return JS_FALSE;
+                if (js_Emit1(cx, cg, JSOP_POP) < 0)
                     return JS_FALSE;
             }
             break;
 #if JS_HAS_XML_SUPPORT
           case TOK_UNARYOP:
             JS_ASSERT(pn2->pn_op == JSOP_SETXMLNAME);
             if (!js_EmitTree(cx, cg, pn2->pn_kid))
                 return JS_FALSE;
--- a/js/src/xpconnect/src/xpcjsruntime.cpp
+++ b/js/src/xpconnect/src/xpcjsruntime.cpp
@@ -1722,41 +1722,41 @@ public:
     "data.  This data is allocated via the compartment's VMAllocators.");
 
             BYTES(mkPath(name, "tjit-data/allocators-reserve"),
                nsIMemoryReporter::KIND_HEAP, stats->tjitDataAllocatorsReserve,
     "Memory used by the trace JIT and held in reserve for the compartment's "
     "VMAllocators in case of OOM.");
 #endif
 
-            DO(mkPath(name, "type-inference/script-main"),
+            BYTES(mkPath(name, "type-inference/script-main"),
                nsIMemoryReporter::KIND_HEAP, stats->typeInferenceMemory.scriptMain,
     "Memory used during type inference to store type sets of variables "
     "and dynamically observed types.");
 
-            DO(mkPath(name, "type-inference/script-typesets"),
+            BYTES(mkPath(name, "type-inference/script-typesets"),
                nsIMemoryReporter::KIND_HEAP, stats->typeInferenceMemory.scriptSets,
     "Memory used during type inference to hold the contents of type "
     "sets associated with scripts.");
 
-            DO(mkPath(name, "type-inference/object-main"),
+            BYTES(mkPath(name, "type-inference/object-main"),
                nsIMemoryReporter::KIND_HEAP, stats->typeInferenceMemory.objectMain,
     "Memory used during type inference to store types and possible "
     "property types of JS objects.");
 
-            DO(mkPath(name, "type-inference/object-typesets"),
+            BYTES(mkPath(name, "type-inference/object-typesets"),
                nsIMemoryReporter::KIND_HEAP, stats->typeInferenceMemory.objectSets,
     "Memory used during type inference to hold the contents of type "
     "sets associated with objects.");
 
             /*
              * This is in a different category from the rest of type inference
              * data as this can be large but is volatile and cleared on GC.
              */
-            DO(mkPath(name, "type-inference-pools"),
+            BYTES(mkPath(name, "type-inference-pools"),
                nsIMemoryReporter::KIND_HEAP, stats->typeInferenceMemory.poolMain,
     "Memory used during type inference to hold transient analysis information.");
         }
 
         JS_ASSERT(gcHeapChunkTotal % js::GC_CHUNK_SIZE == 0);
         size_t numChunks = gcHeapChunkTotal / js::GC_CHUNK_SIZE;
         PRInt64 perChunkAdmin =
             sizeof(js::gc::Chunk) - (sizeof(js::gc::Arena) * js::gc::ArenasPerChunk);