Bug 1204554 part 3.3 - Only collect inner JSScript if they have the same source. r=terrence
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Thu, 01 Oct 2015 12:41:40 +0200
changeset 265604 c9575abbf46ec4c672868499ad7f9a058ca3bb76
parent 265603 c403924d9a60f483259be32ed7f33550adb2290f
child 265605 e5e97faa6d1d684ca019a2990b1cd91cb0130d36
push id15472
push usercbook@mozilla.com
push dateFri, 02 Oct 2015 11:51:34 +0000
treeherderfx-team@2c33ef6b27e0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersterrence
bugs1204554
milestone44.0a1
Bug 1204554 part 3.3 - Only collect inner JSScript if they have the same source. r=terrence
js/src/vm/CodeCoverage.cpp
--- a/js/src/vm/CodeCoverage.cpp
+++ b/js/src/vm/CodeCoverage.cpp
@@ -110,36 +110,50 @@ LCovSource::writeTopLevelScript(JSScript
 
     do {
         script = queue.popCopy();
 
         // Save the lcov output of the current script.
         if (!writeScript(script))
             return false;
 
-        // Iterate from the last to the first object in order to have
-        // the functions them visited in the opposite order when popping
-        // elements from the stack of remaining scripts, such that the
-        // functions are listed with increasing line numbers.
+        // Iterate from the last to the first object in order to have the
+        // functions visited in the opposite order when popping elements from
+        // the queue of remaining scripts, such that the functions are listed
+        // with increasing line numbers.
         if (!script->hasObjects())
             continue;
+
         size_t idx = script->objects()->length;
         while (idx--) {
             JSObject* obj = script->getObject(idx);
 
             // Only continue on JSFunction objects.
             if (!obj->is<JSFunction>())
                 continue;
             JSFunction& fun = obj->as<JSFunction>();
 
             // Let's skip asm.js for now.
             if (!fun.isInterpreted())
                 continue;
             MOZ_ASSERT(!fun.isInterpretedLazy());
 
+            // Eval scripts can refer to their parent script in order to extend
+            // their scope.  We only care about the inner functions, which are
+            // in the same source, and which are assumed to be visited in the
+            // same order as the source content.
+            //
+            // Note: It is possible that the JSScript visited here has already
+            // been finalized, in which case the sourceObject() will be a
+            // poisoned pointer.  This is safe because all scripts are currently
+            // finalized in the foreground.
+            JSScript* child = fun.nonLazyScript();
+            if (child->sourceObject() != source_)
+                continue;
+
             // Queue the script in the list of script associated to the
             // current source.
             if (!queue.append(fun.nonLazyScript()))
                 return false;
         }
     } while (!queue.empty());
 
     return !(outFN_.hadOutOfMemory() ||