Bug 683470 - InlineReturn should assert using js_GetOpcode instead of *regs.pc (r=dvander)
authorLuke Wagner <luke@mozilla.com>
Wed, 31 Aug 2011 15:42:04 -0700
changeset 76355 ebfdb08589471c3cb3ab297665d0b8a1b5ac2a28
parent 76354 89b87e96dc176cfc144d26e3140c52146e328feb
child 76356 4ff7e79b62a9256a4658450d9b4de6570e85d2b5
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersdvander
bugs683470
milestone9.0a1
Bug 683470 - InlineReturn should assert using js_GetOpcode instead of *regs.pc (r=dvander)
js/src/jit-test/tests/basic/testBug683470.js
js/src/methodjit/InvokeHelpers.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug683470.js
@@ -0,0 +1,15 @@
+// |jit-test| debug
+
+f = (function() {
+  function b() {
+    "use strict";
+    Object.defineProperty(this, "x", ({}));
+  }
+  for each(let d in [0, 0]) {
+    try {
+      b(d);
+    } catch (e) {}
+  }
+})
+trap(f, 54, undefined);
+f()
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@@ -176,21 +176,22 @@ top:
  */
 static void
 InlineReturn(VMFrame &f)
 {
     JS_ASSERT(f.fp() != f.entryfp);
     JS_ASSERT(!js_IsActiveWithOrBlock(f.cx, &f.fp()->scopeChain(), 0));
     f.cx->stack.popInlineFrame(f.regs);
 
-    JS_ASSERT(*f.regs.pc == JSOP_CALL ||
-              *f.regs.pc == JSOP_NEW ||
-              *f.regs.pc == JSOP_EVAL ||
-              *f.regs.pc == JSOP_FUNCALL ||
-              *f.regs.pc == JSOP_FUNAPPLY);
+    DebugOnly<JSOp> op = js_GetOpcode(f.cx, f.fp()->script(), f.regs.pc);
+    JS_ASSERT(op == JSOP_CALL ||
+              op == JSOP_NEW ||
+              op == JSOP_EVAL ||
+              op == JSOP_FUNCALL ||
+              op == JSOP_FUNAPPLY);
     f.regs.pc += JSOP_CALL_LENGTH;
 }
 
 void JS_FASTCALL
 stubs::SlowCall(VMFrame &f, uint32 argc)
 {
     CallArgs args = CallArgsFromSp(argc, f.regs.sp);
     if (!InvokeKernel(f.cx, args))