[INFER] Always ensure interpreted scripts have a type set array, bug 656920.
authorBrian Hackett <bhackett1024@gmail.com>
Sat, 14 May 2011 07:12:19 -0700
changeset 75046 ce07fe87b966bdba6ca8f2eb46117c0309b8f4b9
parent 75045 b92ac5a4ef47213a4a28e26bc3f5370f9f15652f
child 75047 22a0b177d821cb2935f5ab338376e49bf6c7a2ea
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs656920
milestone6.0a1
[INFER] Always ensure interpreted scripts have a type set array, bug 656920.
js/src/jsinfer.cpp
js/src/jsinterp.cpp
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -1701,16 +1701,19 @@ TypeCompartment::growPendingArray(JSCont
 
 void
 TypeCompartment::dynamicCall(JSContext *cx, JSObject *callee,
                              const js::CallArgs &args, bool constructing)
 {
     unsigned nargs = callee->getFunctionPrivate()->nargs;
     JSScript *script = callee->getFunctionPrivate()->script();
 
+    if (!script->ensureTypeArray(cx))
+        return;
+
     if (constructing) {
         script->typeSetNewCalled(cx);
     } else {
         jstype type = GetValueType(cx, args.thisv());
         script->typeSetThis(cx, type);
     }
 
     /*
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -2538,16 +2538,20 @@ Interpret(JSContext *cx, StackFrame *ent
     } else if (TRACE_RECORDER(cx)) {
         AbortRecording(cx, "attempt to reenter interpreter while recording");
     }
 
     if (regs.fp()->hasImacropc())
         atoms = COMMON_ATOMS_START(&rt->atomState);
 #endif
 
+    /* Any script we interpret needs to have its type sets filled in. */
+    if (cx->typeInferenceEnabled() && !script->ensureTypeArray(cx))
+        goto error;
+
     /* Don't call the script prologue if executing between Method and Trace JIT. */
     if (interpMode == JSINTERP_NORMAL) {
         StackFrame *fp = regs.fp();
         JS_ASSERT_IF(!fp->isGeneratorFrame(), regs.pc == script->code);
         bool newType = fp->isConstructing() && cx->typeInferenceEnabled() &&
             fp->prev() && fp->prev()->isScriptFrame() &&
             UseNewType(cx, fp->prev()->script(), fp->prev()->pc(cx));
         if (!ScriptPrologueOrGeneratorResume(cx, fp, newType))
@@ -4668,16 +4672,17 @@ BEGIN_CASE(JSOP_FUNCALL)
             }
 
             /* Restrict recursion of lightweight functions. */
             if (JS_UNLIKELY(inlineCallCount >= StackSpace::MAX_INLINE_CALLS)) {
                 js_ReportOverRecursed(cx);
                 goto error;
             }
 
+            /* This will construct the type sets for the callee, if necessary. */
             cx->typeMonitorCall(CallArgsFromVp(argc, vp), flags & StackFrame::CONSTRUCTING);
 
             bool newType = (flags & StackFrame::CONSTRUCTING) &&
                 cx->typeInferenceEnabled() && UseNewType(cx, script, regs.pc);
 
             /* Get pointer to new frame/slots, prepare arguments. */
             ContextStack &stack = cx->stack;
             StackFrame *newfp = stack.getInlineFrame(cx, regs.sp, argc, newfun,