Bug 1037665 - Don't optimize arguments.callee in strict mode. (r=h4writer)
authorShu-yu Guo <shu@rfrn.org>
Fri, 18 Jul 2014 14:39:30 -0700
changeset 208895 4c25019b1a1e227d14bd25152e5f4478577f1a85
parent 208894 a555f10c40e553030345ced1bab3088533c5119b
child 208896 e2650b0b07d62b96926cb2ee33eeada448dd2160
push idunknown
push userunknown
push dateunknown
reviewersh4writer
bugs1037665
milestone33.0a1
Bug 1037665 - Don't optimize arguments.callee in strict mode. (r=h4writer)
js/src/jit/BaselineIC.cpp
js/src/jit/IonAnalysis.cpp
js/src/jit/IonBuilder.cpp
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -6077,16 +6077,18 @@ TryAttachMagicArgumentsGetPropStub(JSCon
 {
     MOZ_ASSERT(!*attached);
 
     if (!val.isMagic(JS_OPTIMIZED_ARGUMENTS))
         return true;
 
     // Try handling arguments.callee on optimized arguments.
     if (name == cx->names().callee) {
+        MOZ_ASSERT(!script->strict());
+
         IonSpew(IonSpew_BaselineIC, "  Generating GetProp(MagicArgs.callee) stub");
 
         // Unlike ICGetProp_ArgumentsLength, only magic argument stubs are
         // supported at the moment.
         ICStub *monitorStub = stub->fallbackMonitorStub()->firstMonitorStub();
 
         // XXXshu the compiler really should be stack allocated, but stack
         // allocating it causes the test_temporary_storage indexedDB test to
@@ -6472,16 +6474,17 @@ ComputeGetPropResult(JSContext *cx, Base
 {
     // Handle arguments.length and arguments.callee on optimized arguments, as
     // it is not an object.
     if (val.isMagic(JS_OPTIMIZED_ARGUMENTS) && IsOptimizedArguments(frame, val.address())) {
         if (op == JSOP_LENGTH) {
             res.setInt32(frame->numActualArgs());
         } else {
             MOZ_ASSERT(name == cx->names().callee);
+            MOZ_ASSERT(!frame->script()->strict());
             res.setObject(*frame->callee());
         }
     } else {
         // Handle when val is an object.
         RootedObject obj(cx, ToObjectFromStack(cx, val));
         if (!obj)
             return false;
 
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -2412,21 +2412,21 @@ ArgumentsUseCanBeLazy(JSContext *cx, JSS
         *argumentsContentsObserved = true;
         return true;
     }
 
     // MGetArgumentsObjectArg needs to be considered as a use that allows laziness.
     if (ins->isGetArgumentsObjectArg() && index == 0)
         return true;
 
-    // arguments.length length can read fp->numActualArgs() directly and
-    // arguments.callee can read fp->callee() directly.
+    // arguments.length length can read fp->numActualArgs() directly.
+    // arguments.callee can read fp->callee() directly in non-strict code.
     if (ins->isCallGetProperty() && index == 0 &&
         (ins->toCallGetProperty()->name() == cx->names().length ||
-         ins->toCallGetProperty()->name() == cx->names().callee))
+         (!script->strict() && ins->toCallGetProperty()->name() == cx->names().callee)))
     {
         return true;
     }
 
     return false;
 }
 
 bool
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -8723,16 +8723,18 @@ IonBuilder::getPropTryArgumentsCallee(bo
     if (!checkIsDefinitelyOptimizedArguments(obj, &isOptimizedArgs))
         return false;
     if (!isOptimizedArgs)
         return true;
 
     if (name != names().callee)
         return true;
 
+    MOZ_ASSERT(!script()->strict());
+
     obj->setImplicitlyUsedUnchecked();
     current->push(getCallee());
 
     *emitted = true;
     return true;
 }
 
 bool