Bug 881461 - Fix INITPROP/INITELEM GETTER/SETTER ops to leave values on the stack for the decompiler. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 13 Jun 2013 16:00:35 +0200
changeset 146433 f9e6eb0d523921fe7fae635b834a927b607e9f5f
parent 146432 77c32a55c48b438ed17368c00a7212359947a4a4
child 146434 dd495b44575205b459b01a5711f0d675d10bd347
push id2697
push userbbajaj@mozilla.com
push dateMon, 05 Aug 2013 18:49:53 +0000
treeherdermozilla-beta@dfec938c7b63 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs881461
milestone24.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 881461 - Fix INITPROP/INITELEM GETTER/SETTER ops to leave values on the stack for the decompiler. r=bhackett
js/src/ion/BaselineCompiler.cpp
js/src/jit-test/tests/baseline/bug881461.js
--- a/js/src/ion/BaselineCompiler.cpp
+++ b/js/src/ion/BaselineCompiler.cpp
@@ -1990,27 +1990,33 @@ static const VMFunction InitPropGetterSe
     FunctionInfo<InitPropGetterSetterFn>(InitGetterSetterOperation);
 
 bool
 BaselineCompiler::emitInitPropGetterSetter()
 {
     JS_ASSERT(JSOp(*pc) == JSOP_INITPROP_GETTER ||
               JSOp(*pc) == JSOP_INITPROP_SETTER);
 
-    // Load value in R0, keep object on the stack.
-    frame.popRegsAndSync(1);
+    // Load value in R0 but keep it on the stack for the decompiler.
+    frame.syncStack(0);
+    masm.loadValue(frame.addressOfStackValue(frame.peek(-1)), R0);
+
     prepareVMCall();
 
     pushArg(R0);
     pushArg(ImmGCPtr(script->getName(pc)));
-    masm.extractObject(frame.addressOfStackValue(frame.peek(-1)), R0.scratchReg());
+    masm.extractObject(frame.addressOfStackValue(frame.peek(-2)), R0.scratchReg());
     pushArg(R0.scratchReg());
     pushArg(ImmWord(pc));
 
-    return callVM(InitPropGetterSetterInfo);
+    if (!callVM(InitPropGetterSetterInfo))
+        return false;
+
+    frame.pop();
+    return true;
 }
 
 bool
 BaselineCompiler::emit_JSOP_INITPROP_GETTER()
 {
     return emitInitPropGetterSetter();
 }
 
@@ -2026,27 +2032,35 @@ static const VMFunction InitElemGetterSe
     FunctionInfo<InitElemGetterSetterFn>(InitGetterSetterOperation);
 
 bool
 BaselineCompiler::emitInitElemGetterSetter()
 {
     JS_ASSERT(JSOp(*pc) == JSOP_INITELEM_GETTER ||
               JSOp(*pc) == JSOP_INITELEM_SETTER);
 
-    // Load index and value in R0 and R1, keep object on the stack.
-    frame.popRegsAndSync(2);
+    // Load index and value in R0 and R1, but keep values on the stack for the
+    // decompiler.
+    frame.syncStack(0);
+    masm.loadValue(frame.addressOfStackValue(frame.peek(-2)), R0);
+    masm.loadValue(frame.addressOfStackValue(frame.peek(-1)), R1);
+
     prepareVMCall();
 
     pushArg(R1);
     pushArg(R0);
-    masm.extractObject(frame.addressOfStackValue(frame.peek(-1)), R0.scratchReg());
+    masm.extractObject(frame.addressOfStackValue(frame.peek(-3)), R0.scratchReg());
     pushArg(R0.scratchReg());
     pushArg(ImmWord(pc));
 
-    return callVM(InitElemGetterSetterInfo);
+    if (!callVM(InitElemGetterSetterInfo))
+        return false;
+
+    frame.popn(2);
+    return true;
 }
 
 bool
 BaselineCompiler::emit_JSOP_INITELEM_GETTER()
 {
     return emitInitElemGetterSetter();
 }
 
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/baseline/bug881461.js
@@ -0,0 +1,3 @@
+// |jit-test| error: TypeError
+z = Proxy.create({}, (function(){}));
+({__proto__: z, set c(a) {}});