Fixed charCodeAt inparam being aggressively, and incorrectly, specialized (bug 536445, r=bz).

js/src/jsbuiltins.h

@@ -497,7 +497,8 @@ JS_DECLARE_CALLINFO(js_String_getelem)
 JS_DECLARE_CALLINFO(js_String_p_charCodeAt)
 JS_DECLARE_CALLINFO(js_String_p_charCodeAt0)
 JS_DECLARE_CALLINFO(js_String_p_charCodeAt0_int)
-JS_DECLARE_CALLINFO(js_String_p_charCodeAt_int)
+JS_DECLARE_CALLINFO(js_String_p_charCodeAt_double_int)
+JS_DECLARE_CALLINFO(js_String_p_charCodeAt_int_int)
 
 /* Defined in jsbuiltins.cpp. */
 JS_DECLARE_CALLINFO(js_BoxDouble)

js/src/jsstr.cpp

@@ -1021,13 +1021,23 @@ js_String_p_charCodeAt(JSString* str, jsdouble d)
 }
 
 int32 FASTCALL
-js_String_p_charCodeAt_int(JSString* str, jsint i)
+js_String_p_charCodeAt_int_int(JSString* str, jsint i)
 {
     if (i < 0 || (int32)str->length() <= i)
         return 0;
     return str->chars()[i];
 }
-JS_DEFINE_CALLINFO_2(extern, INT32, js_String_p_charCodeAt_int,  STRING, INT32, 1, 1)
+JS_DEFINE_CALLINFO_2(extern, INT32, js_String_p_charCodeAt_int_int,  STRING, INT32, 1, 1)
+
+int32 FASTCALL
+js_String_p_charCodeAt_double_int(JSString* str, double d)
+{
+    d = js_DoubleToInteger(d);
+    if (d < 0 || (int32)str->length() <= d)
+        return 0;
+    return str->chars()[jsuint(d)];
+}
+JS_DEFINE_CALLINFO_2(extern, INT32, js_String_p_charCodeAt_double_int,  STRING, DOUBLE, 1, 1)
 
 jsdouble FASTCALL
 js_String_p_charCodeAt0(JSString* str)

js/src/jstracer.cpp

@@ -8369,12 +8369,13 @@ TraceRecorder::f2i(LIns* f)
         }
         if (ci == &js_String_p_charCodeAt_ci) {
             LIns* idx = fcallarg(f, 1);
-            // If the index is not already an integer, force it to be an integer.
-            idx = isPromote(idx)
-                ? demote(lir, idx)
-                : lir->insCall(&js_DoubleToInt32_ci, &idx);
-            LIns* args[] = { idx, fcallarg(f, 0) };
-            return lir->insCall(&js_String_p_charCodeAt_int_ci, args);
+            if (isPromote(idx)) {
+                LIns* args[] = { demote(lir, idx), fcallarg(f, 0) };
+                return lir->insCall(&js_String_p_charCodeAt_int_int_ci, args);
+            } else {
+                LIns* args[] = { idx, fcallarg(f, 0) };
+                return lir->insCall(&js_String_p_charCodeAt_double_int_ci, args);
+            }
         }
     }
     return lir->insCall(&js_DoubleToInt32_ci, &f);

js/src/trace-test/tests/basic/bug536445.js

@@ -0,0 +1,10 @@
+var x;
+var str = "a";
+assertEq(str.charCodeAt(Infinity) | 0, 0);
+for (var i = 0; i < 10; ++i)
+  x = str.charCodeAt(Infinity) | 0;
+assertEq(x, 0);
+for (var i = 0; i < 10; ++i)
+  x = str.charCodeAt(Infinity);
+assertEq(x | 0, 0);
+