| author | Wes Kocher <wkocher@mozilla.com> |
| Wed, 29 Oct 2014 14:14:42 -0700 | |
| changeset 213022 | e0d847bcf86f85b4be5564c430f4dc4e6ebaa52e |
| parent 213021 | 8509aaff4c6a86e1f09a80d89c4a9ebfac66cecb |
| child 213023 | 64c5c57286bd822466da151e2240379b51b0b205 |
| push id | 27738 |
| push user | cbook@mozilla.com |
| push date | Thu, 30 Oct 2014 13:46:07 +0000 |
| treeherder | mozilla-central@1aa1b23d799e [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| bugs | 1089761 |
| milestone | 36.0a1 |
| backs out | 750b497aea432c8d478ced57791414d7c13d7772 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| js/src/jit-test/tests/ion/bug1089761.js | file | annotate | diff | comparison | revisions | |
| js/src/vm/ScopeObject-inl.h | file | annotate | diff | comparison | revisions | |
| js/src/vm/ScopeObject.cpp | file | annotate | diff | comparison | revisions |
deleted file mode 100644 --- a/js/src/jit-test/tests/ion/bug1089761.js +++ /dev/null @@ -1,14 +0,0 @@ -var hits = 0; -for (var j = 0; j < 9; ++j) { - try { - (function() { - (function() { - eval("x") - let x - })() - })() - } catch (e) { - hits++; - } -} -assertEq(hits, 9);
--- a/js/src/vm/ScopeObject-inl.h +++ b/js/src/vm/ScopeObject-inl.h @@ -52,19 +52,19 @@ CallObject::setAliasedVarFromArguments(J if (hasSingletonType()) types::AddTypePropertyId(cx, this, id, v); } inline void CallObject::setAliasedLexicalsToThrowOnTouch(JSScript *script) { uint32_t aliasedLexicalBegin = script->bindings.aliasedBodyLevelLexicalBegin(); - uint32_t aliasedLexicalEnd = slotSpan(); + uint32_t aliasedLexicalEnd = numFixedSlots(); for (uint32_t slot = aliasedLexicalBegin; slot < aliasedLexicalEnd; slot++) - initSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL)); + initFixedSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL)); } template <AllowGC allowGC> inline bool StaticScopeIter<allowGC>::done() const { return !obj; }
--- a/js/src/vm/ScopeObject.cpp +++ b/js/src/vm/ScopeObject.cpp @@ -193,20 +193,16 @@ CallObject::createTemplateObject(JSConte gc::AllocKind kind = gc::GetGCObjectKind(shape->numFixedSlots()); MOZ_ASSERT(CanBeFinalizedInBackground(kind, &class_)); kind = gc::GetBackgroundAllocKind(kind); JSObject *obj = JSObject::create(cx, kind, heap, shape, type); if (!obj) return nullptr; - // Set uninitialized lexicals even on template objects, as Ion will - // copy over the template object's slot values in the fast path. - obj->as<CallObject>().setAliasedLexicalsToThrowOnTouch(script); - return &obj->as<CallObject>(); } /* * Construct a call object for the given bindings. If this is a call object * for a function invocation, callee should be the function being called. * Otherwise it must be a call object for eval of strict mode code, and callee * must be null. @@ -216,16 +212,17 @@ CallObject::create(JSContext *cx, Handle { gc::InitialHeap heap = script->treatAsRunOnce() ? gc::TenuredHeap : gc::DefaultHeap; CallObject *callobj = CallObject::createTemplateObject(cx, script, heap); if (!callobj) return nullptr; callobj->as<ScopeObject>().setEnclosingScope(enclosing); callobj->initFixedSlot(CALLEE_SLOT, ObjectOrNullValue(callee)); + callobj->setAliasedLexicalsToThrowOnTouch(script); if (script->treatAsRunOnce()) { Rooted<CallObject*> ncallobj(cx, callobj); if (!JSObject::setSingletonType(cx, ncallobj)) return nullptr; return ncallobj; }