[INFER] Watch out for Invoke called on dummy frames when deciding to use a new type for the result, bug 653262.
authorBrian Hackett <bhackett1024@gmail.com>
Sun, 01 May 2011 17:45:53 -0700
changeset 74993 f85a663ce75a3f8130db399ca7ba9e6f80815800
parent 74992 e0d5de48aafb473ab7106388e9a22305d1febf29
child 74994 3062ff7fef8309febe7904d04a94c96193ed1f47
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs653262
milestone6.0a1
[INFER] Watch out for Invoke called on dummy frames when deciding to use a new type for the result, bug 653262.
js/src/jit-test/tests/basic/bug653262.js
js/src/jsinterp.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug653262.js
@@ -0,0 +1,6 @@
+var HAVE_TM = 'tracemonkey' in this;
+var HOTLOOP = HAVE_TM ? tracemonkey : 8;
+with(evalcx(''))(function eval() {}, this.__defineGetter__("x", Function));
+var i = 0;
+var o;
+new(x);
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -651,17 +651,17 @@ Invoke(JSContext *cx, const CallArgs &ar
     JS_ASSERT_IF(option == INVOKE_CONSTRUCTOR, !fun->isConstructor());
     if (fun->isNative())
         return CallJSNative(cx, fun->u.n.native, args.argc(), args.base());
 
     /* Handle the empty-script special case. */
     JSScript *script = fun->script();
     if (JS_UNLIKELY(script->isEmpty())) {
         if (option == INVOKE_CONSTRUCTOR) {
-            bool newType = cx->typeInferenceEnabled() &&
+            bool newType = cx->typeInferenceEnabled() && cx->fp()->isScriptFrame() &&
                 UseNewType(cx, cx->fp()->script(), cx->regs().pc);
             JSObject *obj = js_CreateThisForFunction(cx, &callee, newType);
             if (!obj)
                 return false;
             args.rval().setObject(*obj);
         } else {
             args.rval().setUndefined();
         }