Bug 762105 - Fix increment on formal parameters aliased by the arguments object (r=dvander)
authorLuke Wagner <luke@mozilla.com>
Thu, 07 Jun 2012 02:42:56 -0700
changeset 101322 7e4c2abb9fc95d9484fd234e3bbf4b58d1c3f2c3
parent 101321 3933384d831510ed8c235678db4d3dbcde03151b
child 101336 5cc9eda2788ad5b267db372c4693bef5970b5edb
push id191
push userlsblakk@mozilla.com
push dateFri, 05 Oct 2012 17:12:53 +0000
treeherdermozilla-release@ddb22ac6c03b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdvander
bugs762105
milestone16.0a1
first release with
nightly linux32
7e4c2abb9fc9 / 16.0a1 / 20120607025755 / files
nightly linux64
7e4c2abb9fc9 / 16.0a1 / 20120607025755 / files
nightly mac
7e4c2abb9fc9 / 16.0a1 / 20120607025755 / files
nightly win32
7e4c2abb9fc9 / 16.0a1 / 20120607025755 / files
nightly win64
7e4c2abb9fc9 / 16.0a1 / 20120607025755 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 762105 - Fix increment on formal parameters aliased by the arguments object (r=dvander)
js/src/jit-test/tests/basic/testBug762105.js
js/src/methodjit/FastOps.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug762105.js
@@ -0,0 +1,33 @@
+function escapeme() {}
+
+function f1(x) {
+    escapeme(arguments);
+    var y = ++x;
+    return x + y;
+}
+for (var i = 0; i < 100; ++i)
+    assertEq(f1(2), 6);
+
+function f2(x) {
+    escapeme(arguments);
+    var y = --x;
+    return x + y;
+}
+for (var i = 0; i < 100; ++i)
+    assertEq(f2(2), 2);
+
+function f3(x) {
+    escapeme(arguments);
+    var y = x++;
+    return x + y;
+}
+for (var i = 0; i < 100; ++i)
+    assertEq(f3(2), 5);
+
+function f4(x) {
+    escapeme(arguments);
+    var y = x--;
+    return x + y;
+}
+for (var i = 0; i < 100; ++i)
+    assertEq(f4(2), 3);
--- a/js/src/methodjit/FastOps.cpp
+++ b/js/src/methodjit/FastOps.cpp
@@ -955,35 +955,45 @@ mjit::Compiler::jsop_arginc(JSOp op, uin
     types::TypeSet *types = pushedTypeSet(0);
     JSValueType type = types ? types->getKnownTypeTag(cx) : JSVAL_TYPE_UNKNOWN;
 
     int amt = (op == JSOP_ARGINC || op == JSOP_INCARG) ? 1 : -1;
 
     if (!analysis->incrementInitialValueObserved(PC)) {
         // Before:
         // After:  V
-        frame.pushArg(slot);
+        if (script->argsObjAliasesFormals())
+            jsop_aliasedArg(slot, /* get = */ true);
+        else
+            frame.pushArg(slot);
 
         // Before: V
         // After:  V 1
         frame.push(Int32Value(-amt));
 
         // Note, SUB will perform integer conversion for us.
         // Before: V 1
         // After:  N+1
         if (!jsop_binary(JSOP_SUB, stubs::Sub, type, types))
             return false;
 
         // Before: N+1
         // After:  N+1
-        frame.storeArg(slot, analysis->popGuaranteed(PC));
+        bool popGuaranteed = analysis->popGuaranteed(PC);
+        if (script->argsObjAliasesFormals())
+            jsop_aliasedArg(slot, /* get = */ false, popGuaranteed);
+        else
+            frame.storeArg(slot, popGuaranteed);
     } else {
         // Before:
         // After: V
-        frame.pushArg(slot);
+        if (script->argsObjAliasesFormals())
+            jsop_aliasedArg(slot, /* get = */ true);
+        else
+            frame.pushArg(slot);
 
         // Before: V
         // After:  N
         jsop_pos();
 
         // Before: N
         // After:  N N
         frame.dup();
@@ -994,17 +1004,20 @@ mjit::Compiler::jsop_arginc(JSOp op, uin
 
         // Before: N N 1
         // After:  N N+1
         if (!jsop_binary(JSOP_ADD, stubs::Add, type, types))
             return false;
 
         // Before: N N+1
         // After:  N N+1
-        frame.storeArg(slot, true);
+        if (script->argsObjAliasesFormals())
+            jsop_aliasedArg(slot, /* get = */ false, true);
+        else
+            frame.storeArg(slot, true);
 
         // Before: N N+1
         // After:  N
         frame.pop();
     }
 
     updateVarType();
     return true;