Bug 499772 - TM: TraceRecorder::test_property_cache needs JSClass.getProperty checks when a property isn't found on an object. r=jorendorff, r=brendan
authorJeff Walden <jwalden@mit.edu>
Mon, 22 Jun 2009 14:35:57 -0700
changeset 26060 79292a9fdeb1bfda94750fb77de64cf4bf1ca2ad
parent 26059 4c0647472a578150b9f5264810cd20bcacef1fd7
child 26061 bb79d3a42c012b8dfdaed04ee1696e6f5091c17d
push id1768
push userrsayre@mozilla.com
push dateTue, 14 Jul 2009 17:30:01 +0000
reviewersjorendorff, brendan
bugs499772
milestone1.9.1.1pre
Bug 499772 - TM: TraceRecorder::test_property_cache needs JSClass.getProperty checks when a property isn't found on an object. r=jorendorff, r=brendan
js/src/jstracer.cpp
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -9024,18 +9024,28 @@ TraceRecorder::prop(JSObject* obj, LIns*
     JSObject* obj2;
     jsuword pcval;
     CHECK_STATUS(test_property_cache(obj, obj_ins, obj2, pcval));
 
     /* Check for non-existent property reference, which results in undefined. */
     const JSCodeSpec& cs = js_CodeSpec[*cx->fp->regs->pc];
     if (PCVAL_IS_NULL(pcval)) {
         /*
+         * We could specialize to guard on just JSClass.getProperty, but a mere
+         * class guard is simpler and slightly faster.
+         */
+        if (OBJ_GET_CLASS(cx, obj)->getProperty != JS_PropertyStub) {
+            ABORT_TRACE("can't trace through access to undefined property if "
+                        "JSClass.getProperty hook isn't stubbed");
+        }
+        guardClass(obj, obj_ins, OBJ_GET_CLASS(cx, obj), snapshot(MISMATCH_EXIT));
+
+        /*
          * This trace will be valid as long as neither the object nor any object
-         * on its prototype chain change shape.
+         * on its prototype chain changes shape.
          */
         VMSideExit* exit = snapshot(BRANCH_EXIT);
         do {
             LIns* map_ins = lir->insLoad(LIR_ldp, obj_ins, (int)offsetof(JSObject, map));
             LIns* ops_ins;
             if (map_is_native(obj->map, map_ins, ops_ins)) {
                 LIns* shape_ins = addName(lir->insLoad(LIR_ld, map_ins, offsetof(JSScope, shape)),
                                           "shape");