1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a
# HG changeset patch
# User Shu-yu Guo <shu@rfrn.org>
# Date 1459741387 -7200
# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
# Parent 9d4364f6b55c6ee65c13c491292c3abe1ee2c993
Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu
diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/parser/bug-1254164.js
@@ -0,0 +1,6 @@
+// |jit-test| slow;
+
+var s = '';
+for (var i = 0; i < 70000; i++)
+ s += 'function x' + i + '() { x' + i + '(); }\n';
+eval("(function() { " + s + " })();");
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
// JITs when interpreting/compiling aliasedvar ops.)
// Since unaliased variables are, by definition, only accessed by local
// operations and never through the scope chain, only give shapes to
// aliased variables. While the debugger may observe any scope object at
// any time, such accesses are mediated by DebugScopeProxy (see
// DebugScopeProxy::handleUnaliasedAccess).
uint32_t nslots = CallObject::RESERVED_SLOTS;
- uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
+
+ // Unless there are aliased body-level lexical bindings at all, set the
+ // begin index to an impossible slot number.
+ uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
for (BindingIter bi(self); bi; bi++) {
if (bi->aliased()) {
// Per ES6, lexical bindings cannot be accessed until
// initialized. Remember the first aliased slot that is a
// body-level lexical, so that they may be initialized to sentinel
// magic values.
if (numBodyLevelLexicals > 0 &&
nslots < aliasedBodyLevelLexicalBegin &&
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -201,18 +201,18 @@ class Bindings
friend class BindingIter;
friend class AliasedFormalIter;
RelocatablePtrShape callObjShape_;
uintptr_t bindingArrayAndFlag_;
uint16_t numArgs_;
uint16_t numBlockScoped_;
uint16_t numBodyLevelLexicals_;
- uint16_t aliasedBodyLevelLexicalBegin_;
uint16_t numUnaliasedBodyLevelLexicals_;
+ uint32_t aliasedBodyLevelLexicalBegin_;
uint32_t numVars_;
uint32_t numUnaliasedVars_;
#if JS_BITS_PER_WORD == 32
// Bindings is allocated inline inside JSScript, which needs to be
// gc::Cell aligned.
uint32_t padding_;
#endif
|
