Bug 876465 - Skip arguments-object slot in InlineFrameIterator::thisObject() and SnapshotIterator::readFrameArgs. r=djvj, a=lsblakk
authorJan de Mooij <jdemooij@mozilla.com>
Mon, 10 Jun 2013 14:00:27 +0200
changeset 142871 944182a5a20459d3356afb86f5686151b83a570a
parent 142870 a991fa3810ac334034c93d875b39489263eba096
child 142872 6f7c753b3abc0f242e63659960cce41a22bdc3d2
push id2579
push userakeybl@mozilla.com
push dateMon, 24 Jun 2013 18:52:47 +0000
treeherdermozilla-beta@b69b7de8a05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdjvj, lsblakk
bugs876465
milestone23.0a2
Bug 876465 - Skip arguments-object slot in InlineFrameIterator::thisObject() and SnapshotIterator::readFrameArgs. r=djvj, a=lsblakk
js/src/ion/IonFrameIterator-inl.h
js/src/jit-test/tests/ion/bug876465.js
--- a/js/src/ion/IonFrameIterator-inl.h
+++ b/js/src/ion/IonFrameIterator-inl.h
@@ -21,25 +21,25 @@ SnapshotIterator::readFrameArgs(Op &op, 
                                 unsigned start, unsigned formalEnd, unsigned iterEnd,
                                 JSScript *script)
 {
     if (scopeChain)
         *scopeChain = read();
     else
         skip();
 
+    // Skip slot for arguments object.
+    if (script->argumentsHasVarBinding())
+        skip();
+
     if (thisv)
         *thisv = read();
     else
         skip();
 
-    // Skip slot for arguments object.
-    if (script->argumentsHasVarBinding())
-        skip();
-
     unsigned i = 0;
     if (formalEnd < start)
         i = start;
 
     for (; i < start; i++)
         skip();
     for (; i < formalEnd && i < iterEnd; i++) {
         // We are not always able to read values from the snapshots, some values
@@ -154,16 +154,20 @@ inline JSObject *
 InlineFrameIteratorMaybeGC<allowGC>::thisObject() const
 {
     // JS_ASSERT(isConstructing(...));
     SnapshotIterator s(si_);
 
     // scopeChain
     s.skip();
 
+    // Arguments object.
+    if (script()->argumentsHasVarBinding())
+        s.skip();
+
     // In strict modes, |this| may not be an object and thus may not be
     // readable which can either segv in read or trigger the assertion.
     Value v = s.read();
     JS_ASSERT(v.isObject());
     return &v.toObject();
 }
 
 template <AllowGC allowGC>
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug876465.js
@@ -0,0 +1,20 @@
+function initialize() {};
+function test() {
+eval("\
+var Class = {\
+  create : function() {\
+    return function() {\
+      this.initialize.apply(this, arguments);\
+    }\
+  }\
+};\
+var Foo = Class.create();\
+Foo.prototype = {\
+  initialize : function() {\
+    this.bar = Foo();\
+  }\
+};\
+var foo = new Foo();\
+");
+}
+test();