Bug 879079 - Fix rooting analysis bugs from calls to ToNumber; r=sfink
authorTerrence Cole <terrence@mozilla.com>
Tue, 04 Jun 2013 16:14:14 -0700
changeset 148731 1d07c8c757742802d80b8534b2dd804b1d84811f
parent 148730 301c184ae8e7ade65777e41617c43a4c3b5030ac
child 148732 c5e8757e2e6f21e1af1c9b5146f989d334e7592c
push id2859
push userakeybl@mozilla.com
push dateMon, 16 Sep 2013 19:14:59 +0000
treeherdermozilla-beta@87d3c51cd2bf [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs879079
milestone25.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 879079 - Fix rooting analysis bugs from calls to ToNumber; r=sfink
js/src/ion/BaselineIC.cpp
js/src/jsnum.cpp
js/src/jsnum.h
js/src/vm/Interpreter.cpp
--- a/js/src/ion/BaselineIC.cpp
+++ b/js/src/ion/BaselineIC.cpp
@@ -2346,17 +2346,17 @@ ICToBool_Object::Compiler::generateStubC
 // ToNumber_Fallback
 //
 
 static bool
 DoToNumberFallback(JSContext *cx, ICToNumber_Fallback *stub, HandleValue arg, MutableHandleValue ret)
 {
     FallbackICSpew(cx, stub, "ToNumber");
     ret.set(arg);
-    return ToNumber(cx, ret.address());
+    return ToNumber(cx, ret);
 }
 
 typedef bool (*DoToNumberFallbackFn)(JSContext *, ICToNumber_Fallback *, HandleValue, MutableHandleValue);
 static const VMFunction DoToNumberFallbackInfo =
     FunctionInfo<DoToNumberFallbackFn>(DoToNumberFallback, PopValues(1));
 
 bool
 ICToNumber_Fallback::Compiler::generateStubCode(MacroAssembler &masm)
--- a/js/src/jsnum.cpp
+++ b/js/src/jsnum.cpp
@@ -418,34 +418,36 @@ Class NumberObject::class_ = {
     JS_EnumerateStub,
     JS_ResolveStub,
     JS_ConvertStub
 };
 
 static JSBool
 Number(JSContext *cx, unsigned argc, Value *vp)
 {
+    CallArgs args = CallArgsFromVp(argc, vp);
+
     /* Sample JS_CALLEE before clobbering. */
-    bool isConstructing = IsConstructing(vp);
+    bool isConstructing = IsConstructing(args);
 
-    if (argc > 0) {
-        if (!ToNumber(cx, &vp[2]))
+    if (args.length() > 0) {
+        if (!ToNumber(cx, args.handleAt(0)))
             return false;
-        vp[0] = vp[2];
+        args.rval().set(args[0]);
     } else {
-        vp[0].setInt32(0);
+        args.rval().setInt32(0);
     }
 
     if (!isConstructing)
         return true;
 
-    JSObject *obj = NumberObject::create(cx, vp[0].toNumber());
+    JSObject *obj = NumberObject::create(cx, args.rval().toNumber());
     if (!obj)
         return false;
-    vp->setObject(*obj);
+    args.rval().setObject(*obj);
     return true;
 }
 
 JS_ALWAYS_INLINE bool
 IsNumber(const Value &v)
 {
     return v.isNumber() || (v.isObject() && v.toObject().is<NumberObject>());
 }
--- a/js/src/jsnum.h
+++ b/js/src/jsnum.h
@@ -128,33 +128,30 @@ ParseDecimalNumber(const JS::TwoByteChar
  * *dp == 0 and *endp == start upon return.
  */
 extern bool
 GetPrefixInteger(JSContext *cx, const jschar *start, const jschar *end, int base,
                  const jschar **endp, double *dp);
 
 /* ES5 9.3 ToNumber, overwriting *vp with the appropriate number value. */
 JS_ALWAYS_INLINE bool
-ToNumber(JSContext *cx, Value *vp)
+ToNumber(JSContext *cx, JS::MutableHandleValue vp)
 {
 #ifdef DEBUG
-    {
-        SkipRoot skip(cx, vp);
-        MaybeCheckStackRoots(cx);
-    }
+    MaybeCheckStackRoots(cx);
 #endif
 
-    if (vp->isNumber())
+    if (vp.isNumber())
         return true;
     double d;
-    extern bool ToNumberSlow(JSContext *cx, js::Value v, double *dp);
-    if (!ToNumberSlow(cx, *vp, &d))
+    extern bool ToNumberSlow(JSContext *cx, Value v, double *dp);
+    if (!ToNumberSlow(cx, vp, &d))
         return false;
 
-    vp->setNumber(d);
+    vp.setNumber(d);
     return true;
 }
 
 JSBool
 num_parseInt(JSContext *cx, unsigned argc, Value *vp);
 
 }  /* namespace js */
 
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@@ -2014,17 +2014,17 @@ BEGIN_CASE(JSOP_NEG)
     val = regs.sp[-1];
     MutableHandleValue res = MutableHandleValue::fromMarkedLocation(&regs.sp[-1]);
     if (!NegOperation(cx, script, regs.pc, val, res))
         goto error;
 }
 END_CASE(JSOP_NEG)
 
 BEGIN_CASE(JSOP_POS)
-    if (!ToNumber(cx, &regs.sp[-1]))
+    if (!ToNumber(cx, MutableHandleValue::fromMarkedLocation(&regs.sp[-1])))
         goto error;
     if (!regs.sp[-1].isInt32())
         TypeScript::MonitorOverflow(cx, script, regs.pc);
 END_CASE(JSOP_POS)
 
 BEGIN_CASE(JSOP_DELNAME)
 {
     /* Strict mode code should never contain JSOP_DELNAME opcodes. */