Bug 876465 - Skip arguments-object slot in InlineFrameIterator::thisObject() and SnapshotIterator::readFrameArgs. r=djvj

2024-09-13 09:24:08 -07:00 · 2013-06-10 14:00:27 +02:00 · 2013-06-10 14:00:27 +02:00 · d85b22a14e
commit d85b22a14e
parent a41642164a
2 changed files with 28 additions and 4 deletions
--- a/js/src/ion/IonFrameIterator-inl.h
+++ b/js/src/ion/IonFrameIterator-inl.h
@ -26,15 +26,15 @@ SnapshotIterator::readFrameArgs(Op &op, const Value *argv, Value *scopeChain, Va
    else
        skip();

+    // Skip slot for arguments object.
+    if (script->argumentsHasVarBinding())
+        skip();
+
    if (thisv)
        *thisv = read();
    else
        skip();

-    // Skip slot for arguments object.
-    if (script->argumentsHasVarBinding())
-        skip();
-
    unsigned i = 0;
    if (formalEnd < start)
        i = start;
@ -159,6 +159,10 @@ InlineFrameIteratorMaybeGC<allowGC>::thisObject() const
    // scopeChain
    s.skip();

+    // Arguments object.
+    if (script()->argumentsHasVarBinding())
+        s.skip();
+
    // In strict modes, |this| may not be an object and thus may not be
    // readable which can either segv in read or trigger the assertion.
    Value v = s.read();
--- a/js/src/jit-test/tests/ion/bug876465.js
+++ b/js/src/jit-test/tests/ion/bug876465.js
@ -0,0 +1,20 @@
+function initialize() {};
+function test() {
+eval("\
+var Class = {\
+  create : function() {\
+    return function() {\
+      this.initialize.apply(this, arguments);\
+    }\
+  }\
+};\
+var Foo = Class.create();\
+Foo.prototype = {\
+  initialize : function() {\
+    this.bar = Foo();\
+  }\
+};\
+var foo = new Foo();\
+");
+}
+test();