Bug 1037665 - Don't optimize arguments.callee in strict mode. (r=h4writer)

This commit is contained in:
Shu-yu Guo 2014-07-18 14:39:30 -07:00
parent 65266c1611
commit bd15a94ee1
3 changed files with 8 additions and 3 deletions

View File

@ -6082,6 +6082,8 @@ TryAttachMagicArgumentsGetPropStub(JSContext *cx, JSScript *script, ICGetProp_Fa
// Try handling arguments.callee on optimized arguments.
if (name == cx->names().callee) {
MOZ_ASSERT(!script->strict());
IonSpew(IonSpew_BaselineIC, " Generating GetProp(MagicArgs.callee) stub");
// Unlike ICGetProp_ArgumentsLength, only magic argument stubs are
@ -6477,6 +6479,7 @@ ComputeGetPropResult(JSContext *cx, BaselineFrame *frame, JSOp op, HandlePropert
res.setInt32(frame->numActualArgs());
} else {
MOZ_ASSERT(name == cx->names().callee);
MOZ_ASSERT(!frame->script()->strict());
res.setObject(*frame->callee());
}
} else {

View File

@ -2417,11 +2417,11 @@ ArgumentsUseCanBeLazy(JSContext *cx, JSScript *script, MInstruction *ins, size_t
if (ins->isGetArgumentsObjectArg() && index == 0)
return true;
// arguments.length length can read fp->numActualArgs() directly and
// arguments.callee can read fp->callee() directly.
// arguments.length length can read fp->numActualArgs() directly.
// arguments.callee can read fp->callee() directly in non-strict code.
if (ins->isCallGetProperty() && index == 0 &&
(ins->toCallGetProperty()->name() == cx->names().length ||
ins->toCallGetProperty()->name() == cx->names().callee))
(!script->strict() && ins->toCallGetProperty()->name() == cx->names().callee)))
{
return true;
}

View File

@ -8728,6 +8728,8 @@ IonBuilder::getPropTryArgumentsCallee(bool *emitted, MDefinition *obj, PropertyN
if (name != names().callee)
return true;
MOZ_ASSERT(!script()->strict());
obj->setImplicitlyUsedUnchecked();
current->push(getCallee());