Bug 606138 - Gatling gun should guard against clobbered callee/this (r=waldo)

2010-10-28 17:26:19 -07:00 · 2010-10-28 17:26:19 -07:00 · 6e14f48d41
--- a/js/src/jit-test/tests/basic/testBug606138.js
+++ b/js/src/jit-test/tests/basic/testBug606138.js
@ -0,0 +1,3 @@
+// The proxy is going to mutate thisv in place. InvokeSessionGuard should be
+// cool with that
+with(evalcx(''))[7, 8].map(Int16Array, [])
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@ -788,6 +788,10 @@ InvokeSessionGuard::start(JSContext *cx, const Value &calleev, const Value &this
    if (!stack.pushInvokeArgs(cx, argc, &args_))
        return false;

+    /* Callees may clobber 'this' or 'callee'. */
+    savedCallee_ = args_.callee() = calleev;
+    savedThis_ = args_.thisv() = thisv;
+
    do {
        /* Hoist dynamic checks from scripted Invoke. */
        if (!calleev.isObject())
@ -802,10 +806,6 @@ InvokeSessionGuard::start(JSContext *cx, const Value &calleev, const Value &this
        if (fun->isHeavyweight() || script_->isEmpty() || cx->compartment->debugMode)
            break;

-        /* Set (callee, this) once for the session (before args are duped). */
-        args_.callee().setObject(callee);
-        args_.thisv() = thisv;
-
        /* Push the stack frame once for the session. */
        uint32 flags = 0;
        if (!stack.getInvokeFrame(cx, args_, fun, script_, &flags, &frame_))
@ -820,7 +820,7 @@ InvokeSessionGuard::start(JSContext *cx, const Value &calleev, const Value &this
            if (!thisp)
                return false;
            JS_ASSERT(IsSaneThisObject(*thisp));
-            fp->functionThis().setObject(*thisp);
+            savedThis_.setObject(*thisp);
        }

 #ifdef JS_METHODJIT
@ -859,8 +859,6 @@ InvokeSessionGuard::start(JSContext *cx, const Value &calleev, const Value &this
     */
    if (frame_.pushed())
        frame_.pop();
-    args_.thisv() = thisv;
-    savedCallee_ = calleev;
    formals_ = actuals_ = args_.argv();
    nformals_ = (unsigned)-1;
    return true;
--- a/js/src/jsinterpinlines.h
+++ b/js/src/jsinterpinlines.h
@ -511,7 +511,7 @@ class InvokeSessionGuard
 {
    InvokeArgsGuard args_;
    InvokeFrameGuard frame_;
-    Value savedCallee_;
+    Value savedCallee_, savedThis_;
    Value *formals_, *actuals_;
    unsigned nformals_;
    JSScript *script_;
@ -554,10 +554,12 @@ InvokeSessionGuard::invoke(JSContext *cx) const
 {
    /* N.B. Must be kept in sync with Invoke */

-    if (!optimized()) {
-        args_.callee() = savedCallee_;
+    /* Refer to canonical (callee, this) for optimized() sessions. */
+    formals_[-2] = savedCallee_;
+    formals_[-1] = savedThis_;
+
+    if (!optimized())
        return Invoke(cx, args_, 0);
-    }

    /* Clear any garbage left from the last Invoke. */
    JSStackFrame *fp = frame_.fp();