wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1161968 - Fix assertion failure in CloneFunctionObject() if script gets relazified r=jandem

Browse Source
This commit is contained in:
Jon Coppeard 2015-05-07 10:14:40 +01:00
parent 3df5f033c0
commit 0553f878f7
2 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
js/src/jit-test/tests/gc/bug-1161968.js Normal file
View File

@ -0,0 +1,15 @@
// This test case is a simplified version of debug/Source-invisible.js.
if (!'gczeal' in this)
quit();
gczeal(2,21);
var gi = newGlobal();
gi.eval('function f() {}');
var gv = newGlobal();
gv.f = gi.f;
gv.eval('f = clone(f);');
var dbg = new Debugger;

14
js/src/jsfun.cpp
View File

@ -2131,13 +2131,6 @@ js::CloneFunctionObject(JSContext* cx, HandleFunction fun, HandleObject parent,
bool useSameScript = CloneFunctionObjectUseSameScript(cx->compartment(), fun, parent);
JSScript::AutoDelazify funScript(cx);
if (!useSameScript && fun->isInterpretedLazy()) {
funScript = fun;
if (!funScript)
return nullptr;
}
NewObjectKind newKind = useSameScript ? newKindArg : SingletonObject;
RootedObject cloneProto(cx, proto);
if (!cloneProto && fun->isStarGenerator()) {
@ -2162,6 +2155,13 @@ js::CloneFunctionObject(JSContext* cx, HandleFunction fun, HandleObject parent,
return nullptr;
RootedFunction clone(cx, &cloneobj->as<JSFunction>());
JSScript::AutoDelazify funScript(cx);
if (!useSameScript && fun->isInterpretedLazy()) {
funScript = fun;
if (!funScript)
return nullptr;
}
MOZ_ASSERT(useSameScript || !fun->isInterpretedLazy());
uint16_t flags = fun->flags() & ~JSFunction::EXTENDED;