Compute correct object in BINDNAME IC, bug 727223. r=dvander

js/src/methodjit/PolyIC.cpp

@@ -1760,16 +1760,20 @@ class BindNameCompiler : public PICStubCompiler
 
         BindNameLabels &labels = pic.bindNameLabels();
 
+        if (!IsCacheableNonGlobalScope(scopeChain))
+            return disable("non-cacheable obj at start of scope chain");
+
         /* Guard on the shape of the scope chain. */
         masm.loadPtr(Address(JSFrameReg, StackFrame::offsetOfScopeChain()), pic.objReg);
         masm.loadShape(pic.objReg, pic.shapeReg);
         Jump firstShape = masm.branchPtr(Assembler::NotEqual, pic.shapeReg,
                                          ImmPtr(scopeChain->lastProperty()));
 
+        if (scopeChain != obj) {
             /* Walk up the scope chain. */
-        JSObject *tobj = scopeChain;
+            JSObject *tobj = &scopeChain->asScope().enclosingScope();
             Address parent(pic.objReg, ScopeObject::offsetOfEnclosingScope());
-        while (tobj && tobj != obj) {
+            while (tobj) {
                 if (!IsCacheableNonGlobalScope(tobj))
                     return disable("non-cacheable obj in scope chain");
                 masm.loadPayload(parent, pic.objReg);
@@ -1778,10 +1782,13 @@ class BindNameCompiler : public PICStubCompiler
                                                 ImmPtr(tobj->lastProperty()));
                 if (!fails.append(shapeTest))
                     return error();
+                if (tobj == obj)
+                    break;
                 tobj = &tobj->asScope().enclosingScope();
             }
             if (tobj != obj)
                 return disable("indirect hit");
+        }
 
         Jump done = masm.jump();