Bug 1264561 - Fix ClassOps::call and ClassOps::construct address calculation in visitIsCallable and visitIsConstructor. r=efaust
authorTooru Fujisawa <arai_a@mac.com>
Thu, 14 Apr 2016 19:00:17 +0900
changeset 331126 1a6be8c5e45b8405c652111643d7bc808e68c849
parent 331125 bc425da2ddae413c797cc0498a90c889a775cdf6
child 331127 a26b792fc082ef7377ed9a5bb402a286e2c50e4b
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersefaust
bugs1264561
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1264561 - Fix ClassOps::call and ClassOps::construct address calculation in visitIsCallable and visitIsConstructor. r=efaust
js/src/jit-test/tests/auto-regress/bug1264561.js
js/src/jit/CodeGenerator.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1264561.js
@@ -0,0 +1,6 @@
+var r = RegExp("");
+var s = "";
+s += "".replace(r, Function("x"));
+for (var x = 0; x < 5; x++) {
+    s += "".replace(r, this);
+}
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -10718,16 +10718,17 @@ CodeGenerator::visitIsCallable(LIsCallab
 
     masm.bind(&notFunction);
     masm.branchPtr(Assembler::NonZero, Address(output, offsetof(js::Class, cOps)),
                    ImmPtr(nullptr), &hasCOps);
     masm.move32(Imm32(0), output);
     masm.jump(&done);
 
     masm.bind(&hasCOps);
+    masm.loadPtr(Address(output, offsetof(js::Class, cOps)), output);
     masm.cmpPtrSet(Assembler::NonZero, Address(output, offsetof(js::ClassOps, call)),
                    ImmPtr(nullptr), output);
 
     masm.bind(&done);
     masm.bind(ool->rejoin());
 }
 
 void
@@ -10796,16 +10797,17 @@ CodeGenerator::visitIsConstructor(LIsCon
 
     masm.bind(&notFunction);
     masm.branchPtr(Assembler::NonZero, Address(output, offsetof(js::Class, cOps)),
                    ImmPtr(nullptr), &hasCOps);
     masm.move32(Imm32(0), output);
     masm.jump(&done);
 
     masm.bind(&hasCOps);
+    masm.loadPtr(Address(output, offsetof(js::Class, cOps)), output);
     masm.cmpPtrSet(Assembler::NonZero, Address(output, offsetof(js::ClassOps, construct)),
                    ImmPtr(nullptr), output);
 
     masm.bind(&done);
     masm.bind(ool->rejoin());
 }
 
 void