Bug 1089761 - Initialize lexicals to throw on touch on CallObject templates. (r=jandem)

js/src/jit-test/tests/ion/bug1089761.js

@@ -0,0 +1,14 @@
+var hits = 0;
+for (var j = 0; j < 9; ++j) {
+    try {
+        (function() {
+            (function() {
+                eval("x")
+                let x
+            })()
+        })()
+    } catch (e) {
+      hits++;
+    }
+}
+assertEq(hits, 9);

js/src/vm/ScopeObject-inl.h

@@ -57,9 +57,9 @@ inline void
 CallObject::setAliasedLexicalsToThrowOnTouch(JSScript *script)
 {
     uint32_t aliasedLexicalBegin = script->bindings.aliasedBodyLevelLexicalBegin();
-    uint32_t aliasedLexicalEnd = numFixedSlots();
+    uint32_t aliasedLexicalEnd = slotSpan();
     for (uint32_t slot = aliasedLexicalBegin; slot < aliasedLexicalEnd; slot++)
-        initFixedSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL));
+        initSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL));
 }
 
 template <AllowGC allowGC>

js/src/vm/ScopeObject.cpp

@@ -198,6 +198,10 @@ CallObject::createTemplateObject(JSContext *cx, HandleScript script, gc::Initial
     if (!obj)
         return nullptr;
 
+    // Set uninitialized lexicals even on template objects, as Ion will
+    // copy over the template object's slot values in the fast path.
+    obj->as<CallObject>().setAliasedLexicalsToThrowOnTouch(script);
+
     return &obj->as<CallObject>();
 }
 
@@ -217,7 +221,6 @@ CallObject::create(JSContext *cx, HandleScript script, HandleObject enclosing, H
 
     callobj->as<ScopeObject>().setEnclosingScope(enclosing);
     callobj->initFixedSlot(CALLEE_SLOT, ObjectOrNullValue(callee));
-    callobj->setAliasedLexicalsToThrowOnTouch(script);
 
     if (script->treatAsRunOnce()) {
         Rooted<CallObject*> ncallobj(cx, callobj);