Bug 756919 - Handle prologue failure in ScopeIter (r=jimb)

2024-09-13 09:24:08 -07:00 · 2012-05-25 11:44:41 +02:00 · 2012-05-25 11:44:41 +02:00 · 705d064b67
commit 705d064b67
parent c797a64626
4 changed files with 21 additions and 7 deletions
--- a/js/src/jit-test/jit_test.py
+++ b/js/src/jit-test/jit_test.py
@ -248,7 +248,7 @@ def check_output(out, err, rc, test):
    if rc != test.expect_status:
        # Allow a non-zero exit code if we want to allow OOM, but only if we
        # actually got OOM.
-        return test.allow_oom and ': out of memory' in err
+        return test.allow_oom and ': out of memory' in err and 'Assertion failure' not in err

    return True

--- a/js/src/jit-test/tests/basic/testBug756919.js
+++ b/js/src/jit-test/tests/basic/testBug756919.js
@ -0,0 +1,8 @@
+// |jit-test| allow-oom
+
+gcparam("maxBytes", gcparam("gcBytes") + 1024);
+test();
+function test() {
+  test();
+  eval('');
+}
--- a/js/src/jsinterpinlines.h
+++ b/js/src/jsinterpinlines.h
@ -528,7 +528,7 @@ AssertValidFunctionScopeChainAtExit(StackFrame *fp)
    JS_ASSERT(!fp->hasBlockChain());
    JSObject &scope = *fp->scopeChain();

-    if (fp->fun()->isHeavyweight())
+    if (fp->fun()->isHeavyweight() && fp->hasCallObj())
        JS_ASSERT(scope.asCall().maybeStackFrame() == fp);
    else if (scope.isCall() || scope.isBlock())
        JS_ASSERT(scope.asScope().maybeStackFrame() != fp);
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@ -1151,12 +1151,15 @@ ScopeIter::settle()
     * frame, the scope chain (pointed to by cur_) continues into the scopes of
     * enclosing frames. Thus, it is important not to look at cur_ until it is
     * certain that cur_ points to a scope object in the current frame. In
-     * particular, there are two tricky corner cases:
-     *  - nested non-heavyweight functions;
+     * particular, there are three tricky corner cases:
+     *  - non-heavyweight functions;
     *  - non-strict direct eval.
-     * In both cases, cur_ can already be pointing into an enclosing frame's
-     * scope chain. As a final twist: even if cur_ points into an enclosing
-     * frame's scope chain, the current frame may still have uncloned blocks.
+     *  - heavyweight functions observed before the prologue has finished;
+     * In all cases, cur_ can already be pointing into an enclosing frame's
+     * scope chain. Furthermore, in the first two cases: even if cur_ points
+     * into an enclosing frame's scope chain, the current frame may still have
+     * uncloned blocks. In the last case, since we haven't entered the
+     * function, we simply return a ScopeIter where done() == true.
     *
     * Note: DebugScopeObject falls nicely into this plan: since they are only
     * ever introduced as the *enclosing* scope of a frame, they should never
@ -1178,6 +1181,9 @@ ScopeIter::settle()
        } else {
            fp_ = NULL;
        }
+    } else if (fp_->isNonEvalFunctionFrame() && !fp_->hasCallObj()) {
+        JS_ASSERT(cur_ == fp_->fun()->environment());
+        fp_ = NULL;
    } else if (cur_->isWith()) {
        JS_ASSERT_IF(fp_->isFunctionFrame(), fp_->fun()->isHeavyweight());
        JS_ASSERT_IF(block_, block_->needsClone());