Closed Bug 827153 Opened 13 years ago Closed 13 years ago

IonMonkey: the restored |this| in an inlined call could be wrong

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 835178

People

(Reporter: h4writer, Unassigned)

Details

The resumepoint taken before doing the inlined call has the old |this| value. The real |this| value only gets created after the resumepoint. For use in bailout this is correct, but to get the arguments in an inlined funapply function, we will get the wrong value, because there we want the new |this| value. Because the arguments vector doesn't return the |this| value we are actually lucky. There is no way to get the wrong value. But 1) we should add an assert, that it doesn't get abused later on 2) we could also use the old way to retrieve all normal arguments and the resumepoint to get the overflown arguments. Because |this| is always set, this will always be correct. For reference: "the new way" has been introduced in bug 813784, IonFrameIterator-inl.h
Will get resolved in bug 835178 in the way described here. This is needed to allow inlining of JSOP_SETARG
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.