Fall off trace if 'this' is a 'with' object (496057, r=mrbkap).
authorAndreas Gal <gal@mozilla.com>
Tue, 02 Jun 2009 20:03:58 -0700
changeset 25868 4484277f94346ea90e7df5afcb8cea9096548674
parent 25867 ba731d4f9b0a9f83db1edc08047a420eaaca4c4a
child 25869 5bb3a53e5ddda80bfeaca6d300103ce41ed5e3d6
push id1645
push userrsayre@mozilla.com
push dateThu, 04 Jun 2009 16:54:53 +0000
reviewersmrbkap
bugs496057
milestone1.9.1pre
Fall off trace if 'this' is a 'with' object (496057, r=mrbkap).
js/src/jstracer.cpp
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -6652,17 +6652,25 @@ TraceRecorder::unbox_jsval(jsval v, LIns
 }
 
 JS_REQUIRES_STACK JSRecordingStatus
 TraceRecorder::getThis(LIns*& this_ins)
 {
     /*
      * js_ComputeThisForFrame updates cx->fp->argv[-1], so sample it into 'original' first.
      */
-    jsval original = cx->fp->callee ? cx->fp->argv[-1] : JSVAL_NULL;
+    jsval original = JSVAL_NULL;
+    if (cx->fp->callee) {
+        original = cx->fp->argv[-1];
+        if (!JSVAL_IS_PRIMITIVE(original) &&
+            guardClass(JSVAL_TO_OBJECT(original), get(&cx->fp->argv[-1]), &js_WithClass, snapshot(MISMATCH_EXIT))) {
+            ABORT_TRACE("can't trace getThis on With object");
+        }
+    }
+
     JSObject* thisObj = js_ComputeThisForFrame(cx, cx->fp);
     if (!thisObj)
         ABORT_TRACE_ERROR("js_ComputeThisForName failed");
 
     /*
      * In global code, bake in the global object as 'this' object.
      */
     if (!cx->fp->callee) {
@@ -6689,19 +6697,16 @@ TraceRecorder::getThis(LIns*& this_ins)
         if (thisObj != globalObj)
             ABORT_TRACE("global object was wrapped while recording");
         this_ins = INS_CONSTPTR(thisObj);
         set(&thisv, this_ins);
         return JSRS_CONTINUE;
     }
     this_ins = get(&thisv);
 
-    if (guardClass(JSVAL_TO_OBJECT(thisv), this_ins, &js_WithClass, snapshot(MISMATCH_EXIT)))
-        ABORT_TRACE("can't trace getThis on With object");
-
     /*
      * The only unwrapped object that needs to be wrapped that we can get here is the
      * global object obtained throught the scope chain.
      */
     JS_ASSERT(JSVAL_IS_OBJECT(thisv));
     JSObject* obj = js_GetWrappedObject(cx, JSVAL_TO_OBJECT(thisv));
     OBJ_TO_INNER_OBJECT(cx, obj);
     if (!obj)