Bug 666003 - Set 'script' after pushing inline frame in JSOP_CALL (r=waldo)
authorLuke Wagner <luke@mozilla.com>
Tue, 21 Jun 2011 17:44:50 -0700
changeset 71842 d416abec8cd36e4501f13264b2e58e887b985f17
parent 71841 3bd218337175e09ba92c24cd8f71ef1a97be35b0
child 71843 0428dbdf3d58bd1086b307b7cf1f328923ca1040
push idunknown
push userunknown
push dateunknown
reviewerswaldo
bugs666003
milestone7.0a1
Bug 666003 - Set 'script' after pushing inline frame in JSOP_CALL (r=waldo)
js/src/jit-test/tests/basic/testBug666003.js
js/src/jsinterp.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug666003.js
@@ -0,0 +1,13 @@
+function f() {
+    f = function() { g(); };
+    f();
+}
+g = f;
+
+var caught = false;
+try {
+    f();
+} catch(e) {
+    caught = true;
+}
+assertEq(caught, true);
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -4552,21 +4552,22 @@ BEGIN_CASE(JSOP_FUNAPPLY)
         }
         regs.sp = args.spAfterCall();
         CHECK_INTERRUPT_HANDLER();
         TRACE_0(NativeCallComplete);
         len = JSOP_CALL_LENGTH;
         DO_NEXT_OP(len);
     }
 
-    script = fun->script();
-    if (!cx->stack.pushInlineFrame(cx, regs, args, *callee, fun, script, construct, OOMCheck()))
+    JSScript *newScript = fun->script();
+    if (!cx->stack.pushInlineFrame(cx, regs, args, *callee, fun, newScript, construct, OOMCheck()))
         goto error;
 
     /* Refresh local js::Interpret state. */
+    script = newScript;
     pcCounts = script->pcCounters.get(JSRUNMODE_INTERP);
     argv = regs.fp()->formalArgsEnd() - fun->nargs;
     atoms = script->atomMap.vector;
 
     /* Only create call object after frame is rooted. */
     if (fun->isHeavyweight() && !CreateFunCallObject(cx, regs.fp()))
         goto error;