[INFER] Don't emit malformed eleminc ops when incrementing XML names, bug 672153.
authorBrian Hackett <bhackett1024@gmail.com>
Thu, 21 Jul 2011 21:27:23 -0700
changeset 76055 ed0911cf98f22a79e67d83843e0de6cf8c48aa01
parent 76054 b804df6e5d284ef7a92eb91d3a1d213e53a32bc8
child 76056 85b77c0781b61ca17bd9be12f3ec36d63b9cc507
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
bugs672153
milestone8.0a1
[INFER] Don't emit malformed eleminc ops when incrementing XML names, bug 672153.
js/src/jit-test/tests/basic/bug672153.js
js/src/jsemit.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug672153.js
@@ -0,0 +1,1 @@
+uneval(Function("[] = (*::*++);print(x);"));
--- a/js/src/jsemit.cpp
+++ b/js/src/jsemit.cpp
@@ -3139,18 +3139,23 @@ EmitElemOp(JSContext *cx, JSParseNode *p
     if (js_NewSrcNote2(cx, cg, SRC_PCBASE, CG_OFFSET(cg) - top) < 0)
         return JS_FALSE;
     return EmitElemOpBase(cx, cg, op);
 }
 
 static bool
 EmitElemIncDec(JSContext *cx, JSParseNode *pn, JSOp op, JSCodeGenerator *cg)
 {
-    if (!EmitElemOp(cx, pn, op, cg))
-        return false;
+    if (pn) {
+        if (!EmitElemOp(cx, pn, op, cg))
+            return false;
+    } else {
+        if (!EmitElemOpBase(cx, cg, op))
+            return false;
+    }
     if (js_Emit1(cx, cg, JSOP_NOP) < 0)
         return false;
 
     /* INCELEM pops two values and pushes one, so restore the initial depth. */
     cg->stackDepth++;
 
     int start = CG_OFFSET(cg);
 
@@ -6578,37 +6583,36 @@ js_EmitTree(JSContext *cx, JSCodeGenerat
             if (!js_EmitTree(cx, cg, pn2))
                 return JS_FALSE;
             if (js_NewSrcNote2(cx, cg, SRC_PCBASE,
                                CG_OFFSET(cg) - pn2->pn_offset) < 0) {
                 return JS_FALSE;
             }
             if (js_Emit1(cx, cg, op) < 0)
                 return JS_FALSE;
-            if (js_CodeSpec[op].format & JOF_DECOMPOSE) {
-                /*
-                 * This is dead code for the decompiler, don't generate
-                 * a decomposed version of the opcode. We do need to balance
-                 * the stacks in the decomposed version.
-                 */
-                JS_ASSERT(js_CodeSpec[op].format & JOF_ELEM);
-                if (js_Emit1(cx, cg, (JSOp)1) < 0)
-                    return JS_FALSE;
-                if (js_Emit1(cx, cg, JSOP_POP) < 0)
-                    return JS_FALSE;
-            }
+            /*
+             * This is dead code for the decompiler, don't generate
+             * a decomposed version of the opcode. We do need to balance
+             * the stacks in the decomposed version.
+             */
+            JS_ASSERT(js_CodeSpec[op].format & JOF_DECOMPOSE);
+            JS_ASSERT(js_CodeSpec[op].format & JOF_ELEM);
+            if (js_Emit1(cx, cg, (JSOp)1) < 0)
+                return JS_FALSE;
+            if (js_Emit1(cx, cg, JSOP_POP) < 0)
+                return JS_FALSE;
             break;
 #if JS_HAS_XML_SUPPORT
           case TOK_UNARYOP:
             JS_ASSERT(pn2->pn_op == JSOP_SETXMLNAME);
             if (!js_EmitTree(cx, cg, pn2->pn_kid))
                 return JS_FALSE;
             if (js_Emit1(cx, cg, JSOP_BINDXMLNAME) < 0)
                 return JS_FALSE;
-            if (js_Emit1(cx, cg, op) < 0)
+            if (!EmitElemIncDec(cx, NULL, op, cg))
                 return JS_FALSE;
             break;
 #endif
         }
         break;
 
       case TOK_DELETE:
         /*