mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-21 01:05:45 +00:00
Bug 876465 - Skip arguments-object slot in InlineFrameIterator::thisObject() and SnapshotIterator::readFrameArgs. r=djvj
This commit is contained in:
parent
66c836277c
commit
ee52a9c8e4
@ -26,15 +26,15 @@ SnapshotIterator::readFrameArgs(Op &op, const Value *argv, Value *scopeChain, Va
|
||||
else
|
||||
skip();
|
||||
|
||||
// Skip slot for arguments object.
|
||||
if (script->argumentsHasVarBinding())
|
||||
skip();
|
||||
|
||||
if (thisv)
|
||||
*thisv = read();
|
||||
else
|
||||
skip();
|
||||
|
||||
// Skip slot for arguments object.
|
||||
if (script->argumentsHasVarBinding())
|
||||
skip();
|
||||
|
||||
unsigned i = 0;
|
||||
if (formalEnd < start)
|
||||
i = start;
|
||||
@ -159,6 +159,10 @@ InlineFrameIteratorMaybeGC<allowGC>::thisObject() const
|
||||
// scopeChain
|
||||
s.skip();
|
||||
|
||||
// Arguments object.
|
||||
if (script()->argumentsHasVarBinding())
|
||||
s.skip();
|
||||
|
||||
// In strict modes, |this| may not be an object and thus may not be
|
||||
// readable which can either segv in read or trigger the assertion.
|
||||
Value v = s.read();
|
||||
|
20
js/src/jit-test/tests/ion/bug876465.js
Normal file
20
js/src/jit-test/tests/ion/bug876465.js
Normal file
@ -0,0 +1,20 @@
|
||||
function initialize() {};
|
||||
function test() {
|
||||
eval("\
|
||||
var Class = {\
|
||||
create : function() {\
|
||||
return function() {\
|
||||
this.initialize.apply(this, arguments);\
|
||||
}\
|
||||
}\
|
||||
};\
|
||||
var Foo = Class.create();\
|
||||
Foo.prototype = {\
|
||||
initialize : function() {\
|
||||
this.bar = Foo();\
|
||||
}\
|
||||
};\
|
||||
var foo = new Foo();\
|
||||
");
|
||||
}
|
||||
test();
|
Loading…
Reference in New Issue
Block a user