[INFER] Mark values pushed by overflowing object inc opcodes as doubles, bug 641741.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 14 Mar 2011 22:26:25 -0700
changeset 74770 e1a60884a125591363d32a4cc80fb78fdae45033
parent 74769 1ce8efbb75cc6122286f9d4e33aba3592fb6a5fb
child 74771 ce31f0090eb00b73ba494b620ea2c0c3b9153b40
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs641741
milestone2.0b13pre
[INFER] Mark values pushed by overflowing object inc opcodes as doubles, bug 641741.
js/src/jit-test/tests/basic/bug641741.js
js/src/jsinterp.cpp
js/src/methodjit/StubCalls.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug641741.js
@@ -0,0 +1,1 @@
+try { eval("var[]=(++false[x])()=[],x") } catch (e) {}
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -4121,16 +4121,18 @@ do_incop:
         ref.setInt32(tmp);
     } else {
         /* We need an extra root for the result. */
         PUSH_NULL();
         if (!js_DoIncDec(cx, cs, &regs.sp[-2], &regs.sp[-1]))
             goto error;
         if (!cx->typeMonitorAssign(obj, id, regs.sp[-1]))
             goto error;
+        if (!regs.sp[-1].isInt32() && !script->typeMonitorOverflow(cx, regs.pc))
+            goto error;
         regs.fp->setAssigning();
         JSBool ok = obj->setProperty(cx, id, &regs.sp[-1], script->strictModeCode);
         regs.fp->clearAssigning();
         if (!ok)
             goto error;
         regs.sp--;
     }
 
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@@ -1669,22 +1669,18 @@ ObjIncOp(VMFrame &f, JSObject *obj, jsid
             return false;
         if (POST) {
             ref.setNumber(d);
             d += N;
         } else {
             d += N;
             ref.setNumber(d);
         }
-        if (!v.setNumber(d)) {
-            if (!f.script()->typeMonitorOverflow(cx, f.regs.pc) ||
-                !cx->addTypePropertyId(obj->getType(), id, TYPE_DOUBLE)) {
-                return false;
-            }
-        }
+        if (!v.setNumber(d) && !f.script()->typeMonitorOverflow(cx, f.regs.pc))
+            return false;
         if (!cx->typeMonitorAssign(obj, id, v))
             return false;
         fp->setAssigning();
         JSBool ok = obj->setProperty(cx, id, &v, strict);
         fp->clearAssigning();
         if (!ok)
             return false;
     }