Bug 747926 - Preserve type tag when overwriting VM stack values (r=bhackett,a=lsblakk)
authorBill McCloskey <wmccloskey@mozilla.com>
Mon, 07 May 2012 10:12:58 -0700
changeset 92189 7dfc84b36390a701d092596a3405bdb7cb0a36a3
parent 92186 31261e28a23960ac28fef527273b21cb0920cef2
child 92192 caa87a960475b7cabd6d833f15f9678b500e92e0
push idunknown
push userunknown
push dateunknown
reviewersbhackett, lsblakk
bugs747926
milestone13.0
Bug 747926 - Preserve type tag when overwriting VM stack values (r=bhackett,a=lsblakk)
js/src/jit-test/tests/basic/bug747926.js
js/src/vm/Stack.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug747926.js
@@ -0,0 +1,12 @@
+a = 'a';
+b = [,];
+exhaustiveSliceTest("exhaustive slice test 1", a);
+print('---');
+exhaustiveSliceTest("exhaustive slice test 2", b);
+function exhaustiveSliceTest(testname, a){
+  x = 0
+  var y = 0;
+  countHeap();
+    for (y=a.length; y + a.length; y--) { print(y);
+					  var b  = a.slice(x,y); }
+}
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -479,21 +479,26 @@ StackSpace::markFrameSlots(JSTracer *trc
      */
     analyze::AutoEnterAnalysis aea(script->compartment());
     analyze::ScriptAnalysis *analysis = script->analysis();
     uint32_t offset = pc - script->code;
     Value *fixedEnd = slotsBegin + script->nfixed;
     for (Value *vp = slotsBegin; vp < fixedEnd; vp++) {
         uint32_t slot = analyze::LocalSlot(script, vp - slotsBegin);
 
-        /* Will this slot be synced by the JIT? */
+        /*
+         * Will this slot be synced by the JIT? If not, replace with a dummy
+         * value with the same type tag.
+         */
         if (!analysis->trackSlot(slot) || analysis->liveness(slot).live(offset))
             gc::MarkValueRoot(trc, vp, "vm_stack");
-        else
-            *vp = UndefinedValue();
+        else if (vp->isObject())
+            *vp = ObjectValue(fp->scopeChain().global());
+        else if (vp->isString())
+            *vp = StringValue(trc->runtime->atomState.nullAtom);
     }
 
     gc::MarkValueRootRange(trc, fixedEnd, slotsEnd, "vm_stack");
 }
 
 void
 StackSpace::mark(JSTracer *trc)
 {