Bug 876465 - Skip arguments-object slot in InlineFrameIterator::thisObject() and SnapshotIterator::readFrameArgs. r=djvj
authorJan de Mooij <jdemooij@mozilla.com>
Mon, 10 Jun 2013 14:00:27 +0200
changeset 145994 b4445378bf87343c36a06c95feedc31f88c03a80
parent 145993 eaae3921357bd411b11d3750a85300ef331abbf3
child 145995 1e9c7600208a51f3bf69d2d810fbcf5a4cb9e913
push id2697
push userbbajaj@mozilla.com
push dateMon, 05 Aug 2013 18:49:53 +0000
treeherdermozilla-beta@dfec938c7b63 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdjvj
bugs876465
milestone24.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 876465 - Skip arguments-object slot in InlineFrameIterator::thisObject() and SnapshotIterator::readFrameArgs. r=djvj
js/src/ion/IonFrameIterator-inl.h
js/src/jit-test/tests/ion/bug876465.js
--- a/js/src/ion/IonFrameIterator-inl.h
+++ b/js/src/ion/IonFrameIterator-inl.h
@@ -21,25 +21,25 @@ SnapshotIterator::readFrameArgs(Op &op, 
                                 unsigned start, unsigned formalEnd, unsigned iterEnd,
                                 JSScript *script)
 {
     if (scopeChain)
         *scopeChain = read();
     else
         skip();
 
+    // Skip slot for arguments object.
+    if (script->argumentsHasVarBinding())
+        skip();
+
     if (thisv)
         *thisv = read();
     else
         skip();
 
-    // Skip slot for arguments object.
-    if (script->argumentsHasVarBinding())
-        skip();
-
     unsigned i = 0;
     if (formalEnd < start)
         i = start;
 
     for (; i < start; i++)
         skip();
     for (; i < formalEnd && i < iterEnd; i++) {
         // We are not always able to read values from the snapshots, some values
@@ -154,16 +154,20 @@ inline JSObject *
 InlineFrameIteratorMaybeGC<allowGC>::thisObject() const
 {
     // JS_ASSERT(isConstructing(...));
     SnapshotIterator s(si_);
 
     // scopeChain
     s.skip();
 
+    // Arguments object.
+    if (script()->argumentsHasVarBinding())
+        s.skip();
+
     // In strict modes, |this| may not be an object and thus may not be
     // readable which can either segv in read or trigger the assertion.
     Value v = s.read();
     JS_ASSERT(v.isObject());
     return &v.toObject();
 }
 
 template <AllowGC allowGC>
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug876465.js
@@ -0,0 +1,20 @@
+function initialize() {};
+function test() {
+eval("\
+var Class = {\
+  create : function() {\
+    return function() {\
+      this.initialize.apply(this, arguments);\
+    }\
+  }\
+};\
+var Foo = Class.create();\
+Foo.prototype = {\
+  initialize : function() {\
+    this.bar = Foo();\
+  }\
+};\
+var foo = new Foo();\
+");
+}
+test();