Bug 633020 - ArgSetter can return false without reporting an error on trace. r=dmandelin, a=sayrer.
authorJason Orendorff <jorendorff@mozilla.com>
Mon, 14 Feb 2011 14:01:58 -0600
changeset 62589 1a043548af6e53fa6951258f55800d252af1f877
parent 62588 589bb166be026d8b3008716e5e361d5041f8d05e
child 62590 432915db49a8b3b2d437e190affa93e6d5935d20
push id1
push userroot
push dateTue, 10 Dec 2013 15:46:25 +0000
reviewersdmandelin, sayrer
bugs633020
milestone2.0b12pre
Bug 633020 - ArgSetter can return false without reporting an error on trace. r=dmandelin, a=sayrer.
js/src/jit-test/tests/arguments/bug633020.js
js/src/jsfun.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/arguments/bug633020.js
@@ -0,0 +1,11 @@
+var N = HOTLOOP + 2;
+function f(b) {
+    var a = [];
+    for (var i = 0; i < N; i++)
+        a[i] = {};
+    a[N-1] = arguments;
+    for (var i = 0; i < N; i++)
+        a[i][0] = i;
+    assertEq(b, N - 1);
+}
+f(null);
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -549,20 +549,17 @@ ArgGetter(JSContext *cx, JSObject *obj, 
 static JSBool
 ArgSetter(JSContext *cx, JSObject *obj, jsid id, JSBool strict, Value *vp)
 {
 #ifdef JS_TRACER
     // To be able to set a property here on trace, we would have to make
     // sure any updates also get written back to the trace native stack.
     // For simplicity, we just leave trace, since this is presumably not
     // a common operation.
-    if (JS_ON_TRACE(cx)) {
-        DeepBail(cx);
-        return false;
-    }
+    LeaveTrace(cx);
 #endif
 
     if (!InstanceOf(cx, obj, &js_ArgumentsClass, NULL))
         return true;
 
     if (JSID_IS_INT(id)) {
         uintN arg = uintN(JSID_TO_INT(id));
         if (arg < obj->getArgsInitialLength()) {