From fb146a9a7c26d11831b6929bd79eaf7b4a6784fa Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <shu@rfrn.org>
Date: Fri, 18 Mar 2016 15:07:27 -0700
Subject: [PATCH] Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32.
 r=Waldo, a=lizzard

---
 js/src/jit-test/tests/parser/bug-1254164.js | 6 ++++++
 js/src/jsscript.cpp                         | 5 ++++-
 js/src/jsscript.h                           | 8 ++++++--
 3 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 js/src/jit-test/tests/parser/bug-1254164.js

diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
new file mode 100644
index 00000000000..3b08180a78e
--- /dev/null
+++ b/js/src/jit-test/tests/parser/bug-1254164.js
@@ -0,0 +1,6 @@
+// |jit-test| slow;
+
+var s = '';
+for (var i = 0; i < 70000; i++)
+    s += 'function x' + i + '() { x' + i + '(); }\n';
+eval("(function() { " + s + " })();");
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
index d16a6fb0525..21c69495896 100644
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -131,7 +131,10 @@ Bindings::initWithTemporaryStorage(ExclusiveContext* cx, MutableHandle<Bindings>
     // any time, such accesses are mediated by DebugScopeProxy (see
     // DebugScopeProxy::handleUnaliasedAccess).
     uint32_t nslots = CallObject::RESERVED_SLOTS;
-    uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
+
+    // Unless there are aliased body-level lexical bindings at all, set the
+    // begin index to an impossible slot number.
+    uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
     for (BindingIter bi(self); bi; bi++) {
         if (bi->aliased()) {
             // Per ES6, lexical bindings cannot be accessed until
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
index bc3a7fe4c9d..796540cb8e9 100644
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -228,8 +228,8 @@ class Bindings
     uint16_t numArgs_;
     uint16_t numBlockScoped_;
     uint16_t numBodyLevelLexicals_;
-    uint16_t aliasedBodyLevelLexicalBegin_;
     uint16_t numUnaliasedBodyLevelLexicals_;
+    uint32_t aliasedBodyLevelLexicalBegin_;
     uint32_t numVars_;
     uint32_t numUnaliasedVars_;
 
@@ -356,6 +356,10 @@ class Bindings
     void trace(JSTracer* trc);
 };
 
+// If this fails, add/remove padding within Bindings.
+static_assert(sizeof(Bindings) % js::gc::CellSize == 0,
+              "Size of Bindings must be an integral multiple of js::gc::CellSize");
+
 template <class Outer>
 class BindingsOperations
 {
@@ -438,7 +442,7 @@ class MutableBindingsOperations : public BindingsOperations<Outer>
     void setNumUnaliasedBodyLevelLexicals(uint16_t num) {
         bindings().numUnaliasedBodyLevelLexicals_ = num;
     }
-    void setAliasedBodyLevelLexicalBegin(uint16_t offset) {
+    void setAliasedBodyLevelLexicalBegin(uint32_t offset) {
         bindings().aliasedBodyLevelLexicalBegin_ = offset;
     }
     uint8_t* switchToScriptStorage(Binding* permanentStorage) {