Bug 676343 - Lexical scoping bug involving UPVAR_LEVEL_LIMIT. r=brendan.
authorJason Orendorff <jorendorff@mozilla.com>
Thu, 01 Sep 2011 11:31:09 -0500
changeset 76396 1a29139e6bafb68172bebb92f4208762aa939367
parent 76387 ce43a8644bc03efa037d5ea6b5b3da69b5977edc
child 76397 d6eab9dde6bd19cefdf59b1f3d477149b9a89ebc
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersbrendan
bugs676343
milestone9.0a1
Bug 676343 - Lexical scoping bug involving UPVAR_LEVEL_LIMIT. r=brendan.
js/src/jsemit.cpp
js/src/jsinterp.cpp
js/src/tests/js1_8_5/regress/jstests.list
js/src/tests/js1_8_5/regress/regress-672893.js
--- a/js/src/jsemit.cpp
+++ b/js/src/jsemit.cpp
@@ -2353,17 +2353,17 @@ BindNameToSlot(JSContext *cx, JSCodeGene
         JS_ASSERT(cg->fun()->u.i.skipmin <= skip);
 
         /*
          * If op is a mutating opcode, this upvar's lookup skips too many levels,
          * or the function is heavyweight, we fall back on JSOP_*NAME*.
          */
         if (op != JSOP_NAME)
             return JS_TRUE;
-        if (level >= UpvarCookie::UPVAR_LEVEL_LIMIT)
+        if (skip >= UpvarCookie::UPVAR_LEVEL_LIMIT)
             return JS_TRUE;
         if (cg->flags & TCF_FUN_HEAVYWEIGHT)
             return JS_TRUE;
 
         if (!cg->fun()->isFlatClosure())
             return JS_TRUE;
 
         if (!cg->upvarIndices.ensureMap(cx))
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -1431,17 +1431,16 @@ js_DoIncDec(JSContext *cx, const JSCodeS
     return JS_TRUE;
 }
 
 const Value &
 js::GetUpvar(JSContext *cx, uintN closureLevel, UpvarCookie cookie)
 {
     JS_ASSERT(closureLevel >= cookie.level() && cookie.level() > 0);
     const uintN targetLevel = closureLevel - cookie.level();
-    JS_ASSERT(targetLevel < UpvarCookie::UPVAR_LEVEL_LIMIT);
 
     StackFrame *fp = FindUpvarFrame(cx, targetLevel);
     uintN slot = cookie.slot();
     const Value *vp;
 
     if (!fp->isFunctionFrame() || fp->isEvalFrame()) {
         vp = fp->slots() + fp->numFixed();
     } else if (slot < fp->numFormalArgs()) {
--- a/js/src/tests/js1_8_5/regress/jstests.list
+++ b/js/src/tests/js1_8_5/regress/jstests.list
@@ -106,12 +106,13 @@ script regress-642247.js
 script regress-643222.js
 script regress-646820-1.js
 script regress-646820-2.js
 script regress-646820-3.js
 script regress-665355.js
 script regress-666599.js
 script regress-667047.js
 script regress-672892.js
+script regress-672893.js
 script regress-673070-1.js
 script regress-673070-2.js
 script regress-673070-3.js
 script regress-675581.js
new file mode 100644
--- /dev/null
+++ b/js/src/tests/js1_8_5/regress/regress-672893.js
@@ -0,0 +1,18 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/licenses/publicdomain/
+
+function f() {
+    return function () { return function () { return function () {
+    return function () { return function () { return function () {
+    return function () { return function () { return function () {
+    return function () { return function () { return function () {
+    return function () { return function () { return function (a) {
+        var v = a;
+	assertEq(v, 42);
+	return function() { return v; };
+    }; }; }; }; }; }; }; }; }; }; }; }; }; }; };
+};
+
+assertEq(f()()()()()()()()()()()()()()()(42)(), 42);
+
+reportCompare(0, 0, 'ok');