Bug 784639 - Fix SetNameOperation to not use cx->fp since it is wrong for jit-inlined calls (r=bhackett)
authorLuke Wagner <luke@mozilla.com>
Wed, 22 Aug 2012 10:57:42 -0700
changeset 105081 236d384dc4f98ab74e5bdece2a9da58eac7c1fdd
parent 105080 cc589462f4ca7879fac34b7a0c48f2d9eacc287c
child 105082 e8289a629cd44b6720aa8fb93e47861cfc7bf25c
push id55
push usershu@rfrn.org
push dateThu, 30 Aug 2012 01:33:09 +0000
reviewersbhackett
bugs784639
milestone17.0a1
Bug 784639 - Fix SetNameOperation to not use cx->fp since it is wrong for jit-inlined calls (r=bhackett)
js/src/jit-test/tests/basic/testBug784639.js
js/src/jsinterp.cpp
js/src/jsinterpinlines.h
js/src/methodjit/StubCalls.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug784639.js
@@ -0,0 +1,17 @@
+evalcx("\
+  Object.defineProperty(this, \"a\", {});\
+  f = (function(j) {\
+	  a = Proxy\
+  });\
+  Object.defineProperty(this, \"g\", {\
+	  get: function() {\
+		  return ({\
+			  r: function() {},\
+			  t: function() {}\
+		  })\
+	  }\
+  });\
+  for (p in g) {\
+	  f(1)\
+  }\
+", newGlobal())
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -2302,17 +2302,17 @@ END_CASE(JSOP_GETPROP)
 BEGIN_CASE(JSOP_SETGNAME)
 BEGIN_CASE(JSOP_SETNAME)
 {
     RootedObject &scope = rootObject0;
     scope = &regs.sp[-2].toObject();
 
     HandleValue value = HandleValue::fromMarkedLocation(&regs.sp[-1]);
 
-    if (!SetNameOperation(cx, regs.pc, scope, value))
+    if (!SetNameOperation(cx, script, regs.pc, scope, value))
         goto error;
 
     regs.sp[-2] = regs.sp[-1];
     regs.sp--;
 }
 END_CASE(JSOP_SETNAME)
 
 BEGIN_CASE(JSOP_SETPROP)
--- a/js/src/jsinterpinlines.h
+++ b/js/src/jsinterpinlines.h
@@ -417,22 +417,22 @@ NameOperation(JSContext *cx, JSScript *s
         if (!NativeGet(cx, normalized, pobj, shape, 0, vp))
             return false;
     }
 
     return true;
 }
 
 inline bool
-SetNameOperation(JSContext *cx, jsbytecode *pc, HandleObject scope, HandleValue val)
+SetNameOperation(JSContext *cx, JSScript *script, jsbytecode *pc, HandleObject scope,
+                 HandleValue val)
 {
     JS_ASSERT(*pc == JSOP_SETNAME || *pc == JSOP_SETGNAME);
     JS_ASSERT_IF(*pc == JSOP_SETGNAME, scope == cx->global());
 
-    JSScript *script = cx->fp()->script();
     bool strict = script->strictModeCode;
     RootedPropertyName name(cx, script->getName(pc));
     RootedValue valCopy(cx, val);
 
     /*
      * In strict-mode, we need to trigger an error when trying to assign to an
      * undeclared global variable. To do this, we call SetPropertyHelper
      * directly and pass DNP_UNQUALIFIED.
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@@ -69,17 +69,17 @@ stubs::BindGlobalName(VMFrame &f)
 
 void JS_FASTCALL
 stubs::SetName(VMFrame &f, PropertyName *name)
 {
     JSContext *cx = f.cx;
     RootedObject scope(cx, &f.regs.sp[-2].toObject());
     HandleValue value = HandleValue::fromMarkedLocation(&f.regs.sp[-1]);
 
-    if (!SetNameOperation(cx, f.pc(), scope, value))
+    if (!SetNameOperation(cx, f.script(), f.pc(), scope, value))
         THROW();
 
     f.regs.sp[-2] = f.regs.sp[-1];
 }
 
 void JS_FASTCALL
 stubs::Name(VMFrame &f)
 {