If the inner tree cannot be adjusted to match the call site of the outer tree because it uses an int where the outer tree uses a double, trash the inner tree, not the outer one. In CallTree, return the innermost guard we return from, not the outermost one. Jump over at most 1 loop edge that doesn't go back to our own header, not an arbitrary amount.

2008-08-28 14:24:58 -07:00
parent 0ef7839c0c
commit 5c07f4b0a6
3 changed files with 15 additions and 14 deletions
--- a/js/src/jsbuiltins.cpp
+++ b/js/src/jsbuiltins.cpp
@@ -425,7 +425,10 @@ js_CallTree(InterpState* state, Fragment* f)
    union { NIns *code; GuardRecord* (FASTCALL *func)(InterpState*, Fragment*); } u;
    u.code = f->code();
    JS_ASSERT(u.code);
-    return u.func(state, NULL);
+    GuardRecord* lr = u.func(state, NULL);
+    if (lr->exit->exitType == NESTED_EXIT)
+        lr = state->nestedExit;
+    return lr;
 }

 JS_STATIC_ASSERT(JSSLOT_PRIVATE == JSSLOT_ARRAY_LENGTH);