Root me harder (316885 r/sr=igor/shaver).

This commit is contained in:
brendan%mozilla.org 2005-11-22 00:47:05 +00:00
Родитель 00bc4f27cb
Коммит f533400ba1
2 изменённых файлов: 45 добавлений и 12 удалений

Просмотреть файл

@ -4345,6 +4345,16 @@ js_EmitTree(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
case TOK_DOT:
if (!EmitPropOp(cx, pn2, op, cg))
return JS_FALSE;
/*
* Allocate an extra stack slot for GC protection in case the
* initial value being post-incremented or -decremented is not
* a number, but converts to a jsdouble. See jsinterp.c, the
* JSOP_PROPINC and JSOP_PROPDEC cases.
*/
if ((js_CodeSpec[op].format & JOF_POST) &&
(uintN)cg->stackDepth == cg->maxStackDepth) {
++cg->maxStackDepth;
}
break;
case TOK_LB:
if (!EmitElemOp(cx, pn2, op, cg))

Просмотреть файл

@ -2827,6 +2827,7 @@ interrupt:
} \
} else { \
VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_NUMBER, &lval); \
sp[-2] = lval; \
VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_NUMBER, &rval); \
if (JSVAL_IS_STRING(lval) && JSVAL_IS_STRING(rval)) { \
str = JSVAL_TO_STRING(lval); \
@ -2913,10 +2914,12 @@ interrupt:
cond = 1 OP 0; \
} else { \
if (ltmp == JSVAL_OBJECT) { \
VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, &lval); \
VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, &sp[-2]); \
lval = sp[-2]; \
ltmp = JSVAL_TAG(lval); \
} else if (rtmp == JSVAL_OBJECT) { \
VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &rval); \
VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &sp[-1]); \
rval = sp[-1]; \
rtmp = JSVAL_TAG(rval); \
} \
if (ltmp == JSVAL_STRING && rtmp == JSVAL_STRING) { \
@ -3048,16 +3051,18 @@ interrupt:
} else
#endif
{
VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, &ltmp);
VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &rtmp);
if ((cond = JSVAL_IS_STRING(ltmp)) || JSVAL_IS_STRING(rtmp)) {
SAVE_SP_AND_PC(fp);
VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, &sp[-2]);
lval = sp[-2];
VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &sp[-1]);
rval = sp[-1];
if ((cond = JSVAL_IS_STRING(lval)) || JSVAL_IS_STRING(rval)) {
SAVE_SP(fp);
if (cond) {
str = JSVAL_TO_STRING(ltmp);
ok = (str2 = js_ValueToString(cx, rtmp)) != NULL;
str = JSVAL_TO_STRING(lval);
ok = (str2 = js_ValueToString(cx, rval)) != NULL;
} else {
str2 = JSVAL_TO_STRING(rtmp);
ok = (str = js_ValueToString(cx, ltmp)) != NULL;
str2 = JSVAL_TO_STRING(rval);
ok = (str = js_ValueToString(cx, lval)) != NULL;
}
if (!ok)
goto out;
@ -3405,7 +3410,9 @@ interrupt:
/*
* Initially, rval contains the value to increment or decrement, which is not
* yet converted. As above, the expression result goes in rtmp, the updated
* value goes in rval.
* value goes in rval. Our caller must set vp to point at a GC-rooted jsval
* in which we home rtmp, to protect it from GC in case the unconverted rval
* is not a number.
*/
#define NONINT_INCREMENT_OP_MIDDLE() \
JS_BEGIN_MACRO \
@ -3416,6 +3423,7 @@ interrupt:
ok = js_NewNumberValue(cx, d, &rtmp); \
if (!ok) \
goto out; \
*vp = rtmp; \
} \
(cs->format & JOF_INC) ? d++ : d--; \
ok = js_NewNumberValue(cx, d, &rval); \
@ -3428,6 +3436,19 @@ interrupt:
goto out; \
JS_END_MACRO
if ((cs->format & JOF_POST) && i != -2) {
/*
* We must push early to protect the postfix increment
* or decrement result, if converted to a jsdouble from
* a non-number value, from GC nesting in the setter.
*/
vp = sp++;
SAVE_SP(fp);
--i;
}
#ifdef __GNUC__
else vp = NULL; /* suppress bogus gcc warnings */
#endif
NONINT_INCREMENT_OP_MIDDLE();
}
@ -3537,9 +3558,11 @@ interrupt:
{
const JSCodeSpec *cs = &js_CodeSpec[op];
vp = sp++;
SAVE_SP(fp);
NONINT_INCREMENT_OP_MIDDLE();
OBJ_SET_SLOT(cx, obj, slot, rval);
PUSH_OPND(rtmp);
STORE_OPND(-1, rtmp);
len = cs->length;
DO_NEXT_OP(len);
}