Bug 1114566 - matchCallee: Check if both functions have a script before comparing them. r=shu

2024-09-13 09:24:08 -07:00 · 2014-12-23 16:32:03 +01:00 · 2014-12-23 16:32:03 +01:00 · aa29fbe0dd
commit aa29fbe0dd
parent 6e378a070c
2 changed files with 7 additions and 1 deletions
--- a/js/src/jit-test/tests/ion/recover-lambdas-bug1114566.js
+++ b/js/src/jit-test/tests/ion/recover-lambdas-bug1114566.js
@ -0,0 +1,2 @@
+
+(new Function("return (function o() {}).caller;"))();
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@ -1124,8 +1124,12 @@ FrameIter::matchCallee(JSContext *cx, HandleFunction fun) const
    // expect both functions to have the same JSScript. If so, and if they are
    // different, then they cannot be equal.
    bool useSameScript = CloneFunctionObjectUseSameScript(fun->compartment(), currentCallee);
-    if (useSameScript && currentCallee->nonLazyScript() != fun->nonLazyScript())
+    if (useSameScript &&
+        (currentCallee->hasScript() != fun->hasScript() ||
+         currentCallee->nonLazyScript() != fun->nonLazyScript()))
+    {
        return false;
+    }

    // If none of the previous filters worked, then take the risk of
    // invalidating the frame to identify the JSFunction.
				`@ -0,0 +1,2 @@`

				`(new Function("return (function o() {}).caller;"))();`