From 53f07d07b2b008748aa90d594e7a330200d42997 Mon Sep 17 00:00:00 2001
From: Bill McCloskey <wmccloskey@mozilla.com>
Date: Sat, 21 Jun 2014 11:54:36 -0700
Subject: [PATCH] Bug 1019181 - Don't use JSPROP_PERMANENT for JSOP_DEFCONST
 (r=jorendorff)

---
 js/src/jit/BaselineCompiler.cpp | 4 ++--
 js/src/jit/IonBuilder.cpp       | 5 ++++-
 js/src/vm/Interpreter.cpp       | 4 ++--
 js/src/vm/Opcodes.h             | 5 +++--
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/js/src/jit/BaselineCompiler.cpp b/js/src/jit/BaselineCompiler.cpp
index 062438e3528..ff1f8c4205b 100644
--- a/js/src/jit/BaselineCompiler.cpp
+++ b/js/src/jit/BaselineCompiler.cpp
@@ -2195,10 +2195,10 @@ BaselineCompiler::emit_JSOP_DEFVAR()
     frame.syncStack(0);
 
     unsigned attrs = JSPROP_ENUMERATE;
-    if (!script->isForEval())
-        attrs |= JSPROP_PERMANENT;
     if (JSOp(*pc) == JSOP_DEFCONST)
         attrs |= JSPROP_READONLY;
+    else if (!script->isForEval())
+        attrs |= JSPROP_PERMANENT;
     JS_ASSERT(attrs <= UINT32_MAX);
 
     masm.loadPtr(frame.addressOfScopeChain(), R0.scratchReg());
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index 9b95289d488..f5aa0d9a7c0 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -9733,9 +9733,12 @@ IonBuilder::jsop_defvar(uint32_t index)
     PropertyName *name = script()->getName(index);
 
     // Bake in attrs.
-    unsigned attrs = JSPROP_ENUMERATE | JSPROP_PERMANENT;
+    unsigned attrs = JSPROP_ENUMERATE;
     if (JSOp(*pc) == JSOP_DEFCONST)
         attrs |= JSPROP_READONLY;
+    else
+        attrs |= JSPROP_PERMANENT;
+    JS_ASSERT(!script()->isForEval());
 
     // Pass the ScopeChain.
     JS_ASSERT(analysis().usesScopeChain());
diff --git a/js/src/vm/Interpreter.cpp b/js/src/vm/Interpreter.cpp
index be3ce0718b5..f88f97f8288 100644
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@@ -2910,10 +2910,10 @@ CASE(JSOP_DEFVAR)
 {
     /* ES5 10.5 step 8 (with subsequent errata). */
     unsigned attrs = JSPROP_ENUMERATE;
-    if (!REGS.fp()->isEvalFrame())
-        attrs |= JSPROP_PERMANENT;
     if (*REGS.pc == JSOP_DEFCONST)
         attrs |= JSPROP_READONLY;
+    else if (!REGS.fp()->isEvalFrame())
+        attrs |= JSPROP_PERMANENT;
 
     /* Step 8b. */
     RootedObject &obj = rootObject0;
diff --git a/js/src/vm/Opcodes.h b/js/src/vm/Opcodes.h
index d1362454d0b..0aaaec6c27a 100644
--- a/js/src/vm/Opcodes.h
+++ b/js/src/vm/Opcodes.h
@@ -1138,8 +1138,9 @@
     macro(JSOP_DEFFUN,    127,"deffun",     NULL,         5,  0,  0,  JOF_OBJECT) \
     /*
      * Defines the new binding on the frame's current variables-object (the
-     * scope object on the scope chain designated to receive new variables)
-     * with 'READONLY' attribute.
+     * scope object on the scope chain designated to receive new variables) with
+     * 'READONLY' attribute. The binding is *not* JSPROP_PERMANENT. See bug
+     * 1019181 for the reason.
      *
      * This is used for global scripts and also in some cases for function
      * scripts where use of dynamic scoping inhibits optimization.