Bug 1070462 - Have BINDNAME push a poison scope on uninitialized lexical lookup. (r=Waldo)

2014-09-23 15:43:27 -07:00
parent ec1dcbb8e0
commit 2d9dd3a1de
8 changed files with 232 additions and 48 deletions
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -60,6 +60,7 @@

 #include "vm/ArrayObject-inl.h"
 #include "vm/BooleanObject-inl.h"
+#include "vm/Interpreter-inl.h"
 #include "vm/NumberObject-inl.h"
 #include "vm/ObjectImpl-inl.h"
 #include "vm/Runtime-inl.h"
@@ -4778,17 +4779,18 @@ js::LookupNameNoGC(JSContext *cx, PropertyName *name, JSObject *scopeChain,

 bool
 js::LookupNameWithGlobalDefault(JSContext *cx, HandlePropertyName name, HandleObject scopeChain,
-                                MutableHandleObject objp, MutableHandleShape propp)
+                                MutableHandleObject objp)
 {
    RootedId id(cx, NameToId(name));

    RootedObject pobj(cx);
+    RootedShape shape(cx);

    RootedObject scope(cx, scopeChain);
    for (; !scope->is<GlobalObject>(); scope = scope->enclosingScope()) {
-        if (!JSObject::lookupGeneric(cx, scope, id, &pobj, propp))
+        if (!JSObject::lookupGeneric(cx, scope, id, &pobj, &shape))
            return false;
-        if (propp)
+        if (shape)
            break;
    }

@@ -4798,28 +4800,27 @@ js::LookupNameWithGlobalDefault(JSContext *cx, HandlePropertyName name, HandleOb

 bool
 js::LookupNameUnqualified(JSContext *cx, HandlePropertyName name, HandleObject scopeChain,
-                          MutableHandleObject objp, MutableHandleShape propp)
+                          MutableHandleObject objp)
 {
    RootedId id(cx, NameToId(name));

    RootedObject pobj(cx);
+    RootedShape shape(cx);

    RootedObject scope(cx, scopeChain);
    for (; !scope->isUnqualifiedVarObj(); scope = scope->enclosingScope()) {
-        if (!JSObject::lookupGeneric(cx, scope, id, &pobj, propp))
+        if (!JSObject::lookupGeneric(cx, scope, id, &pobj, &shape))
            return false;
-        if (propp)
+        if (shape)
            break;
    }

-    // If the name was found not on the scope object itself, null out the
-    // shape, which is passed as an out pointer to determine uninitialized
-    // lexical slots. In the case when the name is not found on the scope
-    // object itself, it cannot be an uninitialized lexical slot.
-    //
-    // See the JSOP_BINDNAME case in the Interpreter.
-    if (pobj != scope)
-        propp.set(nullptr);
+    // See note above UninitializedLexicalObject.
+    if (pobj == scope && IsUninitializedLexicalSlot(scope, shape)) {
+        scope = UninitializedLexicalObject::create(cx, scope);
+        if (!scope)
+            return false;
+    }

    objp.set(scope);
    return true;