Bug 1182866 - Fix Baseline GETNAME stubs to check for uninitialized lexicals. (r=jandem) a=ritu
authorShu-yu Guo <shu@rfrn.org>
Tue, 15 Dec 2015 14:31:34 -0800
changeset 305839 87ca4a7f2c2aaaea6e25953be697af9f53661de4
parent 305838 e71e41130c71d4b5a4011850073f5aacd9bf99a4
child 305840 71d087ecddc0eace65c866a19244db2c8e7450ea
push id1001
push userraliiev@mozilla.com
push dateMon, 18 Jan 2016 19:06:03 +0000
treeherdermozilla-release@8b89261f3ac4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, ritu
bugs1182866
milestone44.0
Bug 1182866 - Fix Baseline GETNAME stubs to check for uninitialized lexicals. (r=jandem) a=ritu
js/src/jit-test/tests/baseline/bug1182866.js
js/src/jit/BaselineIC.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/baseline/bug1182866.js
@@ -0,0 +1,17 @@
+// |jit-test| error: ReferenceError
+
+with(7) {
+    function f() {
+        if (i == 15) {
+            g();
+        }
+        const x = 42;
+        function g() {
+            return x;
+        }
+        return g;
+    }
+}
+for (var i = 0; i < 99; i++) {
+    assertEq(f()(), 42);
+}
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5301,17 +5301,21 @@ ICGetName_Scope<NumHops>::Compiler::gene
     Register scope = NumHops ? walker : obj;
 
     if (!isFixedSlot_) {
         masm.loadPtr(Address(scope, NativeObject::offsetOfSlots()), walker);
         scope = walker;
     }
 
     masm.load32(Address(ICStubReg, ICGetName_Scope::offsetOfOffset()), scratch);
-    masm.loadValue(BaseIndex(scope, scratch, TimesOne), R0);
+
+    // GETNAME needs to check for uninitialized lexicals.
+    BaseIndex slot(scope, scratch, TimesOne);
+    masm.branchTestMagic(Assembler::Equal, slot, &failure);
+    masm.loadValue(slot, R0);
 
     // Enter type monitor IC to type-check result.
     EmitEnterTypeMonitorIC(masm);
 
     // Failure case - jump to next stub
     masm.bind(&failure);
     EmitStubGuardFailure(masm);
     return true;