From 64554493664053aabe207c3638a3096bcab8625d Mon Sep 17 00:00:00 2001
From: Andreas Gal <gal@mozilla.com>
Date: Thu, 22 Jan 2009 17:58:18 -0800
Subject: [PATCH] Fix incorrect reliance on the identity of the global object
 on trace (474888, r=brendan).

---
 js/src/jstracer.cpp | 9 +++++----
 js/src/jstracer.h   | 2 ++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
index bff2b723d937..e7f0b96055a7 100644
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -389,8 +389,7 @@ globalSlotHash(JSContext* cx, unsigned slot)
         fp = fp->down;        
 
     hash_accum(h, uintptr_t(fp->script)); 
-    hash_accum(h, uintptr_t(cx->globalObject)); 
-    hash_accum(h, uintptr_t(OBJ_SHAPE(cx->globalObject)));
+    hash_accum(h, uintptr_t(OBJ_SHAPE(JS_GetGlobalForObject(cx, fp->scopeChain))));
     hash_accum(h, uintptr_t(slot));
     return int(h);
 }
@@ -1077,6 +1076,7 @@ TraceRecorder::TraceRecorder(JSContext* cx, VMSideExit* _anchor, Fragment* _frag
     gp_ins = addName(lir->insLoad(LIR_ldp, lirbuf->state, offsetof(InterpState, gp)), "gp");
     eos_ins = addName(lir->insLoad(LIR_ldp, lirbuf->state, offsetof(InterpState, eos)), "eos");
     eor_ins = addName(lir->insLoad(LIR_ldp, lirbuf->state, offsetof(InterpState, eor)), "eor");
+    globalObj_ins = addName(lir->insLoad(LIR_ldp, lirbuf->state, offsetof(InterpState, globalObj)), "globalObj");
 
     /* If we came from exit, we might not have enough global types. */
     if (JS_TRACE_MONITOR(cx).globalSlots->length() > ti->globalSlots()) {
@@ -3645,6 +3645,7 @@ js_ExecuteTree(JSContext* cx, Fragment* f, uintN& inlineCallCount,
     state.eor = callstack + MAX_CALL_STACK_ENTRIES;
     state.gp = global;
     state.cx = cx;
+    state.globalObj = globalObj;
     state.lastTreeExitGuard = NULL;
     state.lastTreeCallGuard = NULL;
     state.rpAtLastTreeCall = NULL;
@@ -6705,7 +6706,7 @@ TraceRecorder::record_JSOP_CALLNAME()
         if (!activeCallOrGlobalSlot(obj, vp))
             return false;
         stack(0, get(vp));
-        stack(1, INS_CONSTPTR(globalObj));
+        stack(1, globalObj_ins);
         return true;
     }
 
@@ -7002,7 +7003,7 @@ TraceRecorder::prop(JSObject* obj, LIns* obj_ins, uint32& slot, LIns*& v_ins)
      */
     if (obj == globalObj)
         ABORT_TRACE("prop op aliases global");
-    guard(false, lir->ins2(LIR_eq, obj_ins, INS_CONSTPTR(globalObj)), MISMATCH_EXIT);
+    guard(false, lir->ins2(LIR_eq, obj_ins, globalObj_ins), MISMATCH_EXIT);
 
     /*
      * Property cache ensures that we are dealing with an existing property,
diff --git a/js/src/jstracer.h b/js/src/jstracer.h
index 7cfd36b70620..ecec69d782cd 100644
--- a/js/src/jstracer.h
+++ b/js/src/jstracer.h
@@ -242,6 +242,7 @@ struct InterpState
     VMSideExit* lastTreeCallGuard; /* guard we want to grow from if the tree
                                       call exit guard mismatched */
     void* rpAtLastTreeCall; /* value of rp at innermost tree call guard */
+    JSObject* globalObj; /* pointer to the global object */
 }; 
 
 struct UnstableExit
@@ -326,6 +327,7 @@ class TraceRecorder : public avmplus::GCObject {
     nanojit::LIns*          gp_ins;
     nanojit::LIns*          eos_ins;
     nanojit::LIns*          eor_ins;
+    nanojit::LIns*          globalObj_ins;
     nanojit::LIns*          rval_ins;
     nanojit::LIns*          inner_sp_ins;
     bool                    deepAborted;