Bug 763950 - Fix aliased access of let variables from mjit (r=dvander)

--HG--
extra : rebase_source : be43a1352895f6078c5220a973871648e8f76582

js/src/jit-test/tests/basic/testBug763950.js

@@ -0,0 +1,6 @@
+(function() {
+    var x;
+    for (let j = 0; j < 1; j = j + 1) 
+        x = function() { return j; };
+    assertEq(x(), 1);
+})();

js/src/jsanalyze.h

@@ -363,12 +363,10 @@ static inline uint32_t GetBytecodeSlot(JSScript *script, jsbytecode *pc)
       case JSOP_CALLALIASEDVAR:
       case JSOP_SETALIASEDVAR:
       {
-        ScopeCoordinate sc(pc);
-        if (StaticBlockObject *block = ScopeCoordinateBlockChain(script, pc))
-            return LocalSlot(script, block->slotToFrameLocal(script, sc.slot));
-        if (script->bindings.slotIsArg(sc.slot))
-            return ArgSlot(script->bindings.slotToArg(sc.slot));
-        return LocalSlot(script, script->bindings.slotToLocal(sc.slot));
+        unsigned index;
+        return ScopeCoordinateToFrameVar(script, pc, &index) == FrameVar_Local
+               ? LocalSlot(script, index)
+               : ArgSlot(index);
       }
 
       case JSOP_THIS:

js/src/methodjit/Compiler.cpp

@@ -5843,7 +5843,8 @@ mjit::Compiler::jsop_aliasedVar(ScopeCoordinate sc, bool get, bool poppedAfter)
      * dynamic slots. For now, we special case for different layouts:
      */
     Address addr;
-    if (ScopeCoordinateBlockChain(script, PC)) {
+    StaticBlockObject *block = ScopeCoordinateBlockChain(script, PC);
+    if (block) {
         /*
          * Block objects use a fixed AllocKind which means an invariant number
          * of fixed slots. Any slot below the fixed slot count is inline, any
@@ -5871,9 +5872,10 @@ mjit::Compiler::jsop_aliasedVar(ScopeCoordinate sc, bool get, bool poppedAfter)
     }
 
     if (get) {
-        FrameEntry *fe = script->bindings.slotIsLocal(sc.slot)
-                         ? frame.getLocal(script->bindings.slotToLocal(sc.slot))
-                         : frame.getArg(script->bindings.slotToArg(sc.slot));
+        unsigned index;
+        FrameEntry *fe = ScopeCoordinateToFrameVar(script, PC, &index) == FrameVar_Local
+                         ? frame.getLocal(index)
+                         : frame.getArg(index);
         JSValueType type = fe->isTypeKnown() ? fe->getKnownType() : JSVAL_TYPE_UNKNOWN;
         frame.push(addr, type, true /* = reuseBase */);
     } else {

js/src/vm/ScopeObject.cpp

@@ -61,6 +61,24 @@ js::ScopeCoordinateName(JSRuntime *rt, JSScript *script, jsbytecode *pc)
     return JSID_TO_ATOM(id)->asPropertyName();
 }
 
+FrameVarType
+js::ScopeCoordinateToFrameVar(JSScript *script, jsbytecode *pc, unsigned *index)
+{
+    ScopeCoordinate sc(pc);
+    if (StaticBlockObject *block = ScopeCoordinateBlockChain(script, pc)) {
+        *index = block->slotToFrameLocal(script, sc.slot);
+        return FrameVar_Local;
+    }
+
+    if (script->bindings.slotIsLocal(sc.slot)) {
+        *index = script->bindings.slotToLocal(sc.slot);
+        return FrameVar_Local;
+    }
+
+    *index = script->bindings.slotToArg(sc.slot);
+    return FrameVar_Arg;
+}
+
 /*****************************************************************************/
 
 /*

js/src/vm/ScopeObject.h

@@ -44,6 +44,17 @@ ScopeCoordinateBlockChain(JSScript *script, jsbytecode *pc);
 extern PropertyName *
 ScopeCoordinateName(JSRuntime *rt, JSScript *script, jsbytecode *pc);
 
+/*
+ * The 'slot' of a ScopeCoordinate is relative to the scope object. Type
+ * inference and jit compilation are instead relative to frame values (even if
+ * these values are aliased and thus never accessed, the the index of the
+ * variable is used to refer to the jit/inference information). This function
+ * maps from the ScopeCoordinate space to the StackFrame variable space.
+ */
+enum FrameVarType { FrameVar_Local, FrameVar_Arg };
+extern FrameVarType
+ScopeCoordinateToFrameVar(JSScript *script, jsbytecode *pc, unsigned *index);
+
 /*****************************************************************************/
 
 /*