From d85b22a14e11cf63ebd85670a203cac621f8bdad Mon Sep 17 00:00:00 2001 From: Jan de Mooij Date: Mon, 10 Jun 2013 14:00:27 +0200 Subject: [PATCH] Bug 876465 - Skip arguments-object slot in InlineFrameIterator::thisObject() and SnapshotIterator::readFrameArgs. r=djvj --- js/src/ion/IonFrameIterator-inl.h | 12 ++++++++---- js/src/jit-test/tests/ion/bug876465.js | 20 ++++++++++++++++++++ 2 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 js/src/jit-test/tests/ion/bug876465.js diff --git a/js/src/ion/IonFrameIterator-inl.h b/js/src/ion/IonFrameIterator-inl.h index ac60587643d..33f4c37d23c 100644 --- a/js/src/ion/IonFrameIterator-inl.h +++ b/js/src/ion/IonFrameIterator-inl.h @@ -26,15 +26,15 @@ SnapshotIterator::readFrameArgs(Op &op, const Value *argv, Value *scopeChain, Va else skip(); + // Skip slot for arguments object. + if (script->argumentsHasVarBinding()) + skip(); + if (thisv) *thisv = read(); else skip(); - // Skip slot for arguments object. - if (script->argumentsHasVarBinding()) - skip(); - unsigned i = 0; if (formalEnd < start) i = start; @@ -159,6 +159,10 @@ InlineFrameIteratorMaybeGC::thisObject() const // scopeChain s.skip(); + // Arguments object. + if (script()->argumentsHasVarBinding()) + s.skip(); + // In strict modes, |this| may not be an object and thus may not be // readable which can either segv in read or trigger the assertion. Value v = s.read(); diff --git a/js/src/jit-test/tests/ion/bug876465.js b/js/src/jit-test/tests/ion/bug876465.js new file mode 100644 index 00000000000..010848bddaf --- /dev/null +++ b/js/src/jit-test/tests/ion/bug876465.js @@ -0,0 +1,20 @@ +function initialize() {}; +function test() { +eval("\ +var Class = {\ + create : function() {\ + return function() {\ + this.initialize.apply(this, arguments);\ + }\ + }\ +};\ +var Foo = Class.create();\ +Foo.prototype = {\ + initialize : function() {\ + this.bar = Foo();\ + }\ +};\ +var foo = new Foo();\ +"); +} +test();