Fixed lazy import regression in upvar resolution (bug 535930, r=dmandelin).
☠☠ backed out by 28ba3d9a651f ☠ ☠
authorDavid Anderson <danderson@mozilla.com>
Mon, 21 Dec 2009 11:49:23 -0800
changeset 36558 f7cff6dd16f1a1f1d8a50cd5275e451ef7b6ac2b
parent 36557 f740becddc56efde70e55b1c17044d053085af73
child 36559 a2213b12f2536febb8b4fc660416dafc42ab4699
child 36561 28ba3d9a651f8478215b40691a809602871cf2d6
push idunknown
push userunknown
push dateunknown
reviewersdmandelin
bugs535930
milestone1.9.3a1pre
Fixed lazy import regression in upvar resolution (bug 535930, r=dmandelin).
js/src/jstracer.cpp
js/src/trace-test/tests/basic/bug535930.js
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -12121,18 +12121,18 @@ TraceRecorder::upvar(JSScript* script, J
      * vr directly with the result, so it is a reference to the same location.
      * It does not work to assign the result to v, because v is an already
      * existing reference that points to something else.
      */
     uint32 cookie = uva->vector[index];
     jsval& vr = js_GetUpvar(cx, script->staticLevel, cookie);
     v = vr;
 
-    if (known(&vr))
-        return get(&vr);
+    if (LIns* ins = get(&vr))
+        return ins;
 
     /*
      * The upvar is not in the current trace, so get the upvar value exactly as
      * the interpreter does and unbox.
      */
     uint32 level = script->staticLevel - UPVAR_FRAME_SKIP(cookie);
     uint32 cookieSlot = UPVAR_FRAME_SLOT(cookie);
     JSStackFrame* fp = cx->display[level];
new file mode 100644
--- /dev/null
+++ b/js/src/trace-test/tests/basic/bug535930.js
@@ -0,0 +1,19 @@
+(function () {
+    p = function () {
+        Set()
+    };
+    var Set = function () {};
+    for (var x = 0; x < 5; x++) {
+        Set = function (z) {
+            return function () {
+                [z]
+            }
+        } (x)
+    }
+})()
+
+/*
+ * bug 535930, mistaknely generated code to GetUpvar and crashed inside the call.
+ * so don't crash.
+ */
+