70 lines
2.7 KiB
Diff
70 lines
2.7 KiB
Diff
|
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a
|
||
|
|
||
|
# HG changeset patch
|
||
|
# User Shu-yu Guo <shu@rfrn.org>
|
||
|
# Date 1459741387 -7200
|
||
|
# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
|
||
|
# Parent 9d4364f6b55c6ee65c13c491292c3abe1ee2c993
|
||
|
Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu
|
||
|
|
||
|
diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
|
||
|
new file mode 100644
|
||
|
--- /dev/null
|
||
|
+++ b/js/src/jit-test/tests/parser/bug-1254164.js
|
||
|
@@ -0,0 +1,6 @@
|
||
|
+// |jit-test| slow;
|
||
|
+
|
||
|
+var s = '';
|
||
|
+for (var i = 0; i < 70000; i++)
|
||
|
+ s += 'function x' + i + '() { x' + i + '(); }\n';
|
||
|
+eval("(function() { " + s + " })();");
|
||
|
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
|
||
|
--- a/js/src/jsscript.cpp
|
||
|
+++ b/js/src/jsscript.cpp
|
||
|
@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
|
||
|
// JITs when interpreting/compiling aliasedvar ops.)
|
||
|
|
||
|
// Since unaliased variables are, by definition, only accessed by local
|
||
|
// operations and never through the scope chain, only give shapes to
|
||
|
// aliased variables. While the debugger may observe any scope object at
|
||
|
// any time, such accesses are mediated by DebugScopeProxy (see
|
||
|
// DebugScopeProxy::handleUnaliasedAccess).
|
||
|
uint32_t nslots = CallObject::RESERVED_SLOTS;
|
||
|
- uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
|
||
|
+
|
||
|
+ // Unless there are aliased body-level lexical bindings at all, set the
|
||
|
+ // begin index to an impossible slot number.
|
||
|
+ uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
|
||
|
for (BindingIter bi(self); bi; bi++) {
|
||
|
if (bi->aliased()) {
|
||
|
// Per ES6, lexical bindings cannot be accessed until
|
||
|
// initialized. Remember the first aliased slot that is a
|
||
|
// body-level lexical, so that they may be initialized to sentinel
|
||
|
// magic values.
|
||
|
if (numBodyLevelLexicals > 0 &&
|
||
|
nslots < aliasedBodyLevelLexicalBegin &&
|
||
|
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
|
||
|
--- a/js/src/jsscript.h
|
||
|
+++ b/js/src/jsscript.h
|
||
|
@@ -201,18 +201,18 @@ class Bindings
|
||
|
friend class BindingIter;
|
||
|
friend class AliasedFormalIter;
|
||
|
|
||
|
RelocatablePtrShape callObjShape_;
|
||
|
uintptr_t bindingArrayAndFlag_;
|
||
|
uint16_t numArgs_;
|
||
|
uint16_t numBlockScoped_;
|
||
|
uint16_t numBodyLevelLexicals_;
|
||
|
- uint16_t aliasedBodyLevelLexicalBegin_;
|
||
|
uint16_t numUnaliasedBodyLevelLexicals_;
|
||
|
+ uint32_t aliasedBodyLevelLexicalBegin_;
|
||
|
uint32_t numVars_;
|
||
|
uint32_t numUnaliasedVars_;
|
||
|
|
||
|
#if JS_BITS_PER_WORD == 32
|
||
|
// Bindings is allocated inline inside JSScript, which needs to be
|
||
|
// gc::Cell aligned.
|
||
|
uint32_t padding_;
|
||
|
#endif
|
||
|
|