Bug 844364 - Fix bogus assertion, inverted test when compiling JSOP_EVAL, r=jandem.

2024-09-13 09:24:08 -07:00 · 2013-02-25 15:17:12 -07:00 · 2013-02-25 15:17:12 -07:00 · 59348db6ca
commit 59348db6ca
parent 0c513c127d
4 changed files with 25 additions and 11 deletions
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@ -4488,15 +4488,14 @@ IonBuilder::jsop_eval(uint32_t argc)
            return abort("Direct eval in global code");

        types::StackTypeSet *thisTypes = oracle->thisTypeSet(script());
-        if (!thisTypes) {
-            // The 'this' value for the outer and eval scripts must be the
-            // same. This is not guaranteed if a primitive string/number/etc.
-            // is passed through to the eval invoke as the primitive may be
-            // boxed into different objects if accessed via 'this'.
-            JSValueType type = thisTypes->getKnownTypeTag();
-            if (type != JSVAL_TYPE_OBJECT && type != JSVAL_TYPE_NULL && type != JSVAL_TYPE_UNDEFINED)
-                return abort("Direct eval from script with maybe-primitive 'this'");
-        }
+
+        // The 'this' value for the outer and eval scripts must be the
+        // same. This is not guaranteed if a primitive string/number/etc.
+        // is passed through to the eval invoke as the primitive may be
+        // boxed into different objects if accessed via 'this'.
+        JSValueType type = thisTypes->getKnownTypeTag();
+        if (type != JSVAL_TYPE_OBJECT && type != JSVAL_TYPE_NULL && type != JSVAL_TYPE_UNDEFINED)
+            return abort("Direct eval from script with maybe-primitive 'this'");

        CallInfo callInfo(cx, /* constructing = */ false);
        if (!callInfo.init(current, argc))
--- a/js/src/jit-test/tests/ion/bug844364.js
+++ b/js/src/jit-test/tests/ion/bug844364.js
@ -0,0 +1,6 @@
+
+function f() {
+  eval("this")
+}
+f()
+f()
--- a/js/src/jit-test/tests/ion/bug844459.js
+++ b/js/src/jit-test/tests/ion/bug844459.js
@ -0,0 +1,7 @@
+
+
+function testEvalThrow(x, y) {
+  eval("");
+}
+for (var i = 0; i < 5; i++)
+  testEvalThrow.call("");
--- a/js/src/jsinterpinlines.h
+++ b/js/src/jsinterpinlines.h
@ -97,9 +97,11 @@ ComputeThis(JSContext *cx, AbstractFramePtr frame)
         * |this| slot. If we lazily wrap a primitive |this| in an eval function frame, the
         * eval's frame will get the wrapper, but the function's frame will not. To prevent
         * this, we always wrap a function's |this| before pushing an eval frame, and should
-         * thus never see an unwrapped primitive in a non-strict eval function frame.
+         * thus never see an unwrapped primitive in a non-strict eval function frame. Null
+         * and undefined |this| values will unwrap to the same object in the function and
+         * eval frames, so are not required to be wrapped.
         */
-        JS_ASSERT(!frame.isEvalFrame());
+        JS_ASSERT_IF(frame.isEvalFrame(), thisv.isUndefined() || thisv.isNull());
    }
    bool modified;
    if (!BoxNonStrictThis(cx, &thisv, &modified))