Bug 539553 - Correctness regression on the r-tree benchmark. r=dmandelin.

2010-01-14 18:23:05 -06:00 · 2010-01-14 18:23:05 -06:00 · e4260dacfd
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@ -13961,6 +13961,17 @@ TraceRecorder::record_JSOP_ARGSUB()
    RETURN_STOP_A("can't trace JSOP_ARGSUB hard case");
 }
 JS_REQUIRES_STACK LIns*
 TraceRecorder::guardArgsLengthNotAssigned(LIns* argsobj_ins)
 {
    // The following implements js_IsOverriddenArgsLength on trace.
    // The '2' bit is set if length was overridden.
    LIns *len_ins = stobj_get_fslot(argsobj_ins, JSSLOT_ARGS_LENGTH);
    LIns *ovr_ins = lir->ins2(LIR_piand, len_ins, INS_CONSTWORD(2));
    guard(true, lir->ins_peq0(ovr_ins), snapshot(BRANCH_EXIT));
    return len_ins;
 }
 JS_REQUIRES_STACK AbortableRecordingStatus
 TraceRecorder::record_JSOP_ARGCNT()
 {
@ -13978,13 +13989,7 @@ TraceRecorder::record_JSOP_ARGCNT()
    LIns *a_ins = get(&cx->fp->argsobj);
    if (callDepth == 0) {
        LIns *br = lir->insBranch(LIR_jt, lir->ins_peq0(a_ins), NULL);
-
+        guardArgsLengthNotAssigned(a_ins);
        // The following implements js_IsOverriddenArgsLength on trace.
        // The '2' bit is set if length was overridden.
        LIns *len_ins = stobj_get_fslot(a_ins, JSSLOT_ARGS_LENGTH);
        LIns *ovr_ins = lir->ins2(LIR_piand, len_ins, INS_CONSTWORD(2));
        guard(true, lir->ins_peq0(ovr_ins), snapshot(BRANCH_EXIT));
        LIns *label = lir->ins0(LIR_label);
        br->setTarget(label);
    }
@ -14827,7 +14832,15 @@ TraceRecorder::record_JSOP_LENGTH()
        if (!afp)
            RETURN_STOP_A("can't reach arguments object's frame");
-        LIns* v_ins = lir->ins1(LIR_i2f, INS_CONST(afp->argc));
+        // We must both check at record time and guard at run time that
        // arguments.length has not been reassigned, redefined or deleted.
        if (js_IsOverriddenArgsLength(obj))
            RETURN_STOP_A("can't trace JSOP_ARGCNT if arguments.length has been modified");
        LIns* slot_ins = guardArgsLengthNotAssigned(obj_ins);
        // slot_ins is the value from the slot; right-shift by 2 bits to get
        // the length (see GetArgsLength in jsfun.cpp).
        LIns* v_ins = lir->ins1(LIR_i2f, lir->ins2i(LIR_rsh, slot_ins, 2));
        set(&l, v_ins);
        return ARECORD_CONTINUE;
    }
--- a/js/src/jstracer.h
+++ b/js/src/jstracer.h
@ -1297,6 +1297,7 @@ class TraceRecorder
    JS_REQUIRES_STACK RecordingStatus guardCallee(jsval& callee);
    JS_REQUIRES_STACK JSStackFrame      *guardArguments(JSObject *obj, nanojit::LIns* obj_ins,
                                                        unsigned *depthp);
    JS_REQUIRES_STACK nanojit::LIns* guardArgsLengthNotAssigned(nanojit::LIns* argsobj_ins);
    JS_REQUIRES_STACK RecordingStatus getClassPrototype(JSObject* ctor,
                                                          nanojit::LIns*& proto_ins);
    JS_REQUIRES_STACK RecordingStatus getClassPrototype(JSProtoKey key,
--- a/js/src/trace-test/tests/basic/bug539553-2.js
+++ b/js/src/trace-test/tests/basic/bug539553-2.js
@ -0,0 +1,7 @@
 function f() {
    var x = arguments;
    arguments.length = {};
    for (var i = 0; i < 9; i++)
        x.length.toSource();
 }
 f();
--- a/js/src/trace-test/tests/basic/bug539553.js
+++ b/js/src/trace-test/tests/basic/bug539553.js
@ -0,0 +1,11 @@
 function g(x) {
    assertEq(x.length, 1);
 }
 function f() {
    arguments.length = 1;
    for (var i = 0; i < 9; i++)
        g(arguments);
 }
 f();