Bug 669044 - Undo changes to tracer assert (r=dvander)
authorLuke Wagner <luke@mozilla.com>
Mon, 11 Jul 2011 10:22:27 -0700
changeset 76038 464f65a4cb87945fa52e73e7d4d57d1b0bd3b321
parent 76037 60b1a6a58531e9ce6c10445804b9a7f8fb4b4290
child 76039 9df6877bbb9a62987ae9e9caef99e24338f1dd50
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersdvander
bugs669044
milestone8.0a1
Bug 669044 - Undo changes to tracer assert (r=dvander)
js/src/jit-test/tests/basic/testBug667915.js
js/src/jstracer.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug667915.js
@@ -0,0 +1,8 @@
+for each(let y in [0, 0]) {
+    eval("\
+        for each(e in[0,0,0,0,0,0,0,0]) {\
+            x = undefined\
+        }\
+    ")
+}
+
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -15159,23 +15159,35 @@ TraceRecorder::record_JSOP_BINDNAME()
 {
     TraceMonitor *localtm = traceMonitor;
     StackFrame* const fp = cx->fp();
     JSObject *obj;
 
     if (!fp->isFunctionFrame()) {
         obj = &fp->scopeChain();
 
+#ifdef DEBUG
+        StackFrame *fp2 = fp;
+#endif
+
         /*
          * In global code, fp->scopeChain can only contain blocks whose values
          * are still on the stack.  We never use BINDNAME to refer to these.
          */
         while (obj->isBlock()) {
             // The block's values are still on the stack.
-            JS_ASSERT(obj->getPrivate() == fp);
+#ifdef DEBUG
+            // NB: fp2 can't be a generator frame, because !fp->hasFunction.
+            while (obj->getPrivate() != fp2) {
+                JS_ASSERT(fp2->isEvalFrame());
+                fp2 = fp2->prev();
+                if (!fp2)
+                    JS_NOT_REACHED("bad stack frame");
+            }
+#endif
             obj = obj->getParent();
             // Blocks always have parents.
             JS_ASSERT(obj);
         }
 
         /*
          * If this is a strict mode eval frame, we will have a Call object for
          * it. For now just don't trace this case.