From cff53ed7c95b498021108a5c6939a1e35bd03776 Mon Sep 17 00:00:00 2001 From: Shu-yu Guo Date: Fri, 3 Apr 2015 14:18:05 -0700 Subject: [PATCH] Bug 1149510 - Don't try to read the result object when doing in-place debug mode bailout in a for-of loop. (r=jandem) --- .../tests/debug/onExceptionUnwind-15.js | 25 +++++++++++++++++++ js/src/jit/BaselineBailouts.cpp | 8 +++--- 2 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 js/src/jit-test/tests/debug/onExceptionUnwind-15.js diff --git a/js/src/jit-test/tests/debug/onExceptionUnwind-15.js b/js/src/jit-test/tests/debug/onExceptionUnwind-15.js new file mode 100644 index 000000000000..0c6f46f23a01 --- /dev/null +++ b/js/src/jit-test/tests/debug/onExceptionUnwind-15.js @@ -0,0 +1,25 @@ +// Test that Ion->Baseline in-place debug mode bailout can recover the iterator +// from the snapshot in a for-of loop. + +g = newGlobal(); +g.parent = this; +g.eval("Debugger(parent).onExceptionUnwind=(function() {})"); +function throwInNext() { + yield 1; + yield 2; + yield 3; + throw 42; +} + +function f() { + for (var o of new throwInNext); +} + +var log = ""; +try { + f(); +} catch (e) { + log += e; +} + +assertEq(log, "42"); diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp index 3f3ef7aff4c2..65fbc125fc2d 100644 --- a/js/src/jit/BaselineBailouts.cpp +++ b/js/src/jit/BaselineBailouts.cpp @@ -487,12 +487,10 @@ HasLiveIteratorAtStackDepth(JSScript* script, jsbytecode* pc, uint32_t stackDept if (tn->kind == JSTRY_FOR_IN && stackDepth == tn->stackDepth) return true; - // For-of loops have both the iterator and the result on stack. - if (tn->kind == JSTRY_FOR_OF && - (stackDepth == tn->stackDepth || stackDepth == tn->stackDepth - 1)) - { + // For-of loops have both the iterator and the result object on + // stack. The iterator is below the result object. + if (tn->kind == JSTRY_FOR_OF && stackDepth == tn->stackDepth - 1) return true; - } } return false;