From 4f33d707bc9ca491f53f012dcf15c7045e1e2d9f Mon Sep 17 00:00:00 2001
From: Brendan Eich <brendan@mozilla.org>
Date: Mon, 5 Oct 2009 23:50:42 -0700
Subject: [PATCH] Deoptimize upvar-for-eval if in for-in loop LHS position
 (520513, r=mrbkap).

---
 js/src/jsemit.cpp | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/js/src/jsemit.cpp b/js/src/jsemit.cpp
index 59c9f68c9c5d..dbc8cf40b4e8 100644
--- a/js/src/jsemit.cpp
+++ b/js/src/jsemit.cpp
@@ -2157,9 +2157,9 @@ BindNameToSlot(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
         if (op != JSOP_NAME)
             return JS_TRUE;
 
-#ifdef DEBUG
         JSStackFrame *caller = cg->compiler->callerFrame;
         JS_ASSERT(caller);
+        JS_ASSERT(caller->script);
 
         JSTreeContext *tc = cg;
         while (tc->staticLevel != level)
@@ -2168,10 +2168,14 @@ BindNameToSlot(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
 
         JSCodeGenerator *evalcg = (JSCodeGenerator *) tc;
         JS_ASSERT(evalcg->flags & TCF_COMPILE_N_GO);
-        JS_ASSERT(!(evalcg->flags & TCF_IN_FOR_INIT));
-        JS_ASSERT(caller->script);
         JS_ASSERT(caller->fun && caller->varobj == evalcg->scopeChain);
-#endif
+
+        /*
+         * Don't generate upvars on the left side of a for loop. See
+         * bug 470758 and bug 520513.
+         */
+        if (evalcg->flags & TCF_IN_FOR_INIT)
+            return JS_TRUE;
 
         if (cg->staticLevel == level) {
             pn->pn_op = JSOP_GETUPVAR;