Bug 757431 - Fix stack scanning in Splat (r=bhackett,a=lsblakk)
authorBill McCloskey <wmccloskey@mozilla.com>
Mon, 18 Jun 2012 17:04:52 -0700
changeset 96176 0ad2987252b2465bb06212d8f13a8ec5344a5fd3
parent 96175 6a43080525ab7aad3b6b0ebdb1fb81489bc700f1
child 96177 a272c966d0cadc96cd9d4d5d61b13d19174d0c4a
push id1049
push userwmccloskey@mozilla.com
push dateTue, 26 Jun 2012 21:42:05 +0000
treeherdermozilla-beta@a272c966d0ca [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett, lsblakk
bugs757431
milestone14.0
Bug 757431 - Fix stack scanning in Splat (r=bhackett,a=lsblakk)
js/src/jit-test/tests/basic/bug757431.js
js/src/methodjit/MonoIC.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug757431.js
@@ -0,0 +1,18 @@
+
+function setterFunction(v) { called = true; }
+function getterFunction(v) { return "getter"; }
+Object.defineProperty(Array.prototype, 1,{ 
+  get: getterFunction, 
+  set: setterFunction 
+});
+gczeal(4);
+var N = 350;
+var source = "".concat(
+  repeat_str("try { f(); } finally {\n", N),
+  repeat_str("}", N));
+function repeat_str(str, repeat_count) {
+  var arr = new Array(--repeat_count);
+  while (repeat_count != 0)
+    arr[--repeat_count] = str;
+  return str.concat.apply(str, arr);
+}
--- a/js/src/methodjit/MonoIC.cpp
+++ b/js/src/methodjit/MonoIC.cpp
@@ -1125,18 +1125,23 @@ ic::SplatApplyArgs(VMFrame &f)
     /* Step 6. */
     if (length > StackSpace::ARGS_LENGTH_MAX) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                              JSMSG_TOO_MANY_FUN_APPLY_ARGS);
         THROWV(false);
     }
 
     int delta = length - 1;
-    if (delta > 0 && !BumpStack(f, delta))
-        THROWV(false);
+    if (delta > 0) {
+        if (!BumpStack(f, delta))
+            THROWV(false);
+
+        MakeRangeGCSafe(f.regs.sp, delta);
+    }
+
     f.regs.sp += delta;
 
     /* Steps 7-8. */
     if (!GetElements(cx, aobj, length, f.regs.sp - length))
         THROWV(false);
 
     f.u.call.dynamicArgc = length;
     return true;