Bug 847412 - Monitor result type after a direct eval from Ion code, r=jandem.
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -4464,17 +4464,20 @@ IonBuilder::jsop_eval(uint32_t argc)
}
MInstruction *filterArguments = MFilterArguments::New(string);
current->add(filterArguments);
MInstruction *ins = MCallDirectEval::New(scopeChain, string, thisValue);
current->add(ins);
current->push(ins);
- return resumeAfter(ins);
+
+ types::StackTypeSet *barrier;
+ types::StackTypeSet *types = oracle->returnTypeSet(script(), pc, &barrier);
+ return resumeAfter(ins) && pushTypeBarrier(ins, types, barrier);
}
return jsop_call(argc, /* constructing = */ false);
}
bool
IonBuilder::jsop_compare(JSOp op)
{
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug847412.js
@@ -0,0 +1,19 @@
+
+var gTestcases = new Array();
+var gTc = gTestcases.length;
+function TestCase( a) {
+ this.actual = a;
+ gTestcases[gTc++] = this;
+}
+function test() {
+ for ( gTc=0; gTc < gTestcases.length; gTc++ ) {
+ gTestcases[gTc].actual.toString()
+ }
+}
+function testOverwritingSparseHole() {
+ for (var i = 0; i < 50; i++)
+ new TestCase(eval("VAR1 = 0; VAR2 = -1; VAR1 %= VAR2; VAR1"));
+}
+testOverwritingSparseHole();
+test();
+this.toSource();