Bug 1133389 - Fix FrameIter::matchCallee to consider all inner functions and not only lambdas. r=shu, a=lmandel
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Fri, 13 Mar 2015 16:14:03 +0100
changeset 250392 d1dc38edb7b1
parent 250391 1c8c794f8c3d
child 250393 44cc57c29710
push id4570
push userryanvm@gmail.com
push date2015-03-16 16:03 +0000
treeherdermozilla-beta@ad1f181d8593 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu, lmandel
bugs1133389
milestone37.0
Bug 1133389 - Fix FrameIter::matchCallee to consider all inner functions and not only lambdas. r=shu, a=lmandel
js/src/jit-test/tests/ion/recover-lambdas-bug1133389.js
js/src/vm/Stack.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/recover-lambdas-bug1133389.js
@@ -0,0 +1,17 @@
+var o = {}
+Object.defineProperty(o, "p", {
+    get: function() {
+        return arguments.callee.caller.caller;
+    }
+});
+
+function f() {
+    function g() {
+        return o.p;
+    }
+    return g();
+}
+
+for (var k = 0; k < 2; k++) {
+    assertEq(f(), f);
+}
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -1109,22 +1109,16 @@ FrameIter::matchCallee(JSContext *cx, Ha
     // template from which it would be cloned, we compare properties which are
     // stable across the cloning of JSFunctions.
     if (((currentCallee->flags() ^ fun->flags()) & JSFunction::STABLE_ACROSS_CLONES) != 0 ||
         currentCallee->nargs() != fun->nargs())
     {
         return false;
     }
 
-    // Only some lambdas are optimized in a way which cannot be recovered without
-    // invalidating the frame. Thus, if one of the function is not a lambda we can just
-    // compare it against the calleeTemplate.
-    if (!fun->isLambda() || !currentCallee->isLambda())
-        return currentCallee == fun;
-
     // Use the same condition as |js::CloneFunctionObject|, to know if we should
     // expect both functions to have the same JSScript. If so, and if they are
     // different, then they cannot be equal.
     bool useSameScript = CloneFunctionObjectUseSameScript(fun->compartment(), currentCallee);
     if (useSameScript &&
         (currentCallee->hasScript() != fun->hasScript() ||
          currentCallee->nonLazyScript() != fun->nonLazyScript()))
     {