Bug 606141. ArrayCompPush can deep-bail, so handle that. r=jorendorff
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 04 Nov 2010 16:37:44 -0400
changeset 57710 b55d8612e834807b0f6b2e49cdb82e47f81f472b
parent 57709 b1094f628602829131cdb50d7b6e454ebd87a25a
child 57711 19f70f8c2b88c6aca3e217cd861f6c58b243e7b3
push id1
push usershaver@mozilla.com
push dateTue, 04 Jan 2011 17:58:04 +0000
reviewersjorendorff
bugs606141
milestone2.0b8pre
Bug 606141. ArrayCompPush can deep-bail, so handle that. r=jorendorff
js/src/jsarray.cpp
js/src/jstracer.cpp
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -1996,20 +1996,25 @@ JSBool
 js_ArrayCompPush(JSContext *cx, JSObject *obj, const Value &vp)
 {
     return ArrayCompPushImpl(cx, obj, vp);
 }
 
 JSBool JS_FASTCALL
 js_ArrayCompPush_tn(JSContext *cx, JSObject *obj, ValueArgType v)
 {
-    return ArrayCompPushImpl(cx, obj, ValueArgToConstRef(v));
+    if (!ArrayCompPushImpl(cx, obj, ValueArgToConstRef(v))) {
+        SetBuiltinError(cx);
+        return JS_FALSE;
+    }
+
+    return cx->tracerState->builtinStatus == 0;
 }
-JS_DEFINE_CALLINFO_3(extern, BOOL, js_ArrayCompPush_tn, CONTEXT, OBJECT, VALUE,
-                     0, nanojit::ACCSET_STORE_ANY)
+JS_DEFINE_CALLINFO_3(extern, BOOL_FAIL, js_ArrayCompPush_tn, CONTEXT, OBJECT,
+                     VALUE, 0, nanojit::ACCSET_STORE_ANY)
 
 static JSBool
 array_push(JSContext *cx, uintN argc, Value *vp)
 {
     /* Insist on one argument and obj of the expected class. */
     JSObject *obj = ComputeThisFromVp(cx, vp);
     if (!obj)
         return JS_FALSE;
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -15521,19 +15521,22 @@ TraceRecorder::record_JSOP_ARRAYPUSH()
     JS_ASSERT(cx->fp()->slots() + slot < cx->regs->sp - 1);
     Value &arrayval = cx->fp()->slots()[slot];
     JS_ASSERT(arrayval.isObject());
     JS_ASSERT(arrayval.toObject().isDenseArray());
     LIns *array_ins = get(&arrayval);
     Value &elt = stackval(-1);
     LIns *elt_ins = box_value_for_native_call(elt, get(&elt));
 
+    enterDeepBailCall();
+
     LIns *args[] = { elt_ins, array_ins, cx_ins };
-    LIns *ok_ins = w.call(&js_ArrayCompPush_tn_ci, args);
-    guard(false, w.eqi0(ok_ins), OOM_EXIT);
+    pendingGuardCondition = w.call(&js_ArrayCompPush_tn_ci, args);
+
+    leaveDeepBailCall();
     return ARECORD_CONTINUE;
 }
 
 JS_REQUIRES_STACK AbortableRecordingStatus
 TraceRecorder::record_JSOP_ENUMCONSTELEM()
 {
     return ARECORD_STOP;
 }