Bug 1089761 - Initialize lexicals to throw on touch on CallObject templates. (r=jandem)
☠☠ backed out by e0d847bcf86f ☠ ☠
authorShu-yu Guo <shu@rfrn.org>
Wed, 29 Oct 2014 12:57:31 -0700
changeset 237323 750b497aea432c8d478ced57791414d7c13d7772
parent 237322 374ab4e39b3866ad8c63c58ab43f1f81c476481e
child 237324 0be3a777ab2b0843d6844ec8ed7f3de3737436e1
push id4311
push userraliiev@mozilla.com
push dateMon, 12 Jan 2015 19:37:41 +0000
treeherdermozilla-beta@150c9fed433b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1089761
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1089761 - Initialize lexicals to throw on touch on CallObject templates. (r=jandem)
js/src/jit-test/tests/ion/bug1089761.js
js/src/vm/ScopeObject-inl.h
js/src/vm/ScopeObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1089761.js
@@ -0,0 +1,14 @@
+var hits = 0;
+for (var j = 0; j < 9; ++j) {
+    try {
+        (function() {
+            (function() {
+                eval("x")
+                let x
+            })()
+        })()
+    } catch (e) {
+      hits++;
+    }
+}
+assertEq(hits, 9);
--- a/js/src/vm/ScopeObject-inl.h
+++ b/js/src/vm/ScopeObject-inl.h
@@ -52,19 +52,19 @@ CallObject::setAliasedVarFromArguments(J
     if (hasSingletonType())
         types::AddTypePropertyId(cx, this, id, v);
 }
 
 inline void
 CallObject::setAliasedLexicalsToThrowOnTouch(JSScript *script)
 {
     uint32_t aliasedLexicalBegin = script->bindings.aliasedBodyLevelLexicalBegin();
-    uint32_t aliasedLexicalEnd = numFixedSlots();
+    uint32_t aliasedLexicalEnd = slotSpan();
     for (uint32_t slot = aliasedLexicalBegin; slot < aliasedLexicalEnd; slot++)
-        initFixedSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL));
+        initSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL));
 }
 
 template <AllowGC allowGC>
 inline bool
 StaticScopeIter<allowGC>::done() const
 {
     return !obj;
 }
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -193,16 +193,20 @@ CallObject::createTemplateObject(JSConte
     gc::AllocKind kind = gc::GetGCObjectKind(shape->numFixedSlots());
     MOZ_ASSERT(CanBeFinalizedInBackground(kind, &class_));
     kind = gc::GetBackgroundAllocKind(kind);
 
     JSObject *obj = JSObject::create(cx, kind, heap, shape, type);
     if (!obj)
         return nullptr;
 
+    // Set uninitialized lexicals even on template objects, as Ion will
+    // copy over the template object's slot values in the fast path.
+    obj->as<CallObject>().setAliasedLexicalsToThrowOnTouch(script);
+
     return &obj->as<CallObject>();
 }
 
 /*
  * Construct a call object for the given bindings.  If this is a call object
  * for a function invocation, callee should be the function being called.
  * Otherwise it must be a call object for eval of strict mode code, and callee
  * must be null.
@@ -212,17 +216,16 @@ CallObject::create(JSContext *cx, Handle
 {
     gc::InitialHeap heap = script->treatAsRunOnce() ? gc::TenuredHeap : gc::DefaultHeap;
     CallObject *callobj = CallObject::createTemplateObject(cx, script, heap);
     if (!callobj)
         return nullptr;
 
     callobj->as<ScopeObject>().setEnclosingScope(enclosing);
     callobj->initFixedSlot(CALLEE_SLOT, ObjectOrNullValue(callee));
-    callobj->setAliasedLexicalsToThrowOnTouch(script);
 
     if (script->treatAsRunOnce()) {
         Rooted<CallObject*> ncallobj(cx, callobj);
         if (!JSObject::setSingletonType(cx, ncallobj))
             return nullptr;
         return ncallobj;
     }