From 48c1b67d5009bbad7328d8d8fecd1eab26bb034b Mon Sep 17 00:00:00 2001
From: Jeff Walden <jwalden@mit.edu>
Date: Tue, 1 Mar 2011 09:59:37 -0800
Subject: [PATCH] Bug 637385 - Don't try to trace through a bindname in strict
 mode eval code.  r=dvander, a=dmandelin

---
 .../tests/basic/bindname-in-strict-eval.js    |  3 ++
 js/src/jstracer.cpp                           | 30 ++++++++++++-------
 2 files changed, 22 insertions(+), 11 deletions(-)
 create mode 100644 js/src/jit-test/tests/basic/bindname-in-strict-eval.js

diff --git a/js/src/jit-test/tests/basic/bindname-in-strict-eval.js b/js/src/jit-test/tests/basic/bindname-in-strict-eval.js
new file mode 100644
index 000000000000..fa231022d30f
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bindname-in-strict-eval.js
@@ -0,0 +1,3 @@
+'use strict';
+eval("var i = 0; var end = RUNLOOP; for(var j = 0; j < end; i++, j++) { i = 0; }");
+print("done");
diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
index 98bf8884629c..488acd4f705e 100644
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -15269,8 +15269,10 @@ TraceRecorder::record_JSOP_BINDNAME()
         JSStackFrame *fp2 = fp;
 #endif
 
-        // In global code, fp->scopeChain can only contain blocks whose values
-        // are still on the stack.  We never use BINDNAME to refer to these.
+        /*
+         * In global code, fp->scopeChain can only contain blocks whose values
+         * are still on the stack.  We never use BINDNAME to refer to these.
+         */
         while (obj->isBlock()) {
             // The block's values are still on the stack.
 #ifdef DEBUG
@@ -15287,17 +15289,23 @@ TraceRecorder::record_JSOP_BINDNAME()
             JS_ASSERT(obj);
         }
 
-        // If anything other than Block, Call, DeclEnv, and the global object
-        // is on the scope chain, we shouldn't be recording. Of those, only
-        // Block and global can be present in global code.
-        JS_ASSERT(obj == globalObj);
+        /*
+         * If this is a strict mode eval frame, we will have a Call object for
+         * it. For now just don't trace this case.
+         */
+        if (obj != globalObj) {
+            JS_ASSERT(obj->isCall());
+            JS_ASSERT(obj->callIsForEval());
+            RETURN_STOP_A("BINDNAME within strict eval code");
+        }
 
         /*
-         * The trace is specialized to this global object. Furthermore, we know it
-         * is the sole 'global' object on the scope chain: we set globalObj to the
-         * scope chain element with no parent, and we reached it starting from the
-         * function closure or the current scopeChain, so there is nothing inner to
-         * it. Therefore this must be the right base object.
+         * The trace is specialized to this global object. Furthermore, we know
+         * it is the sole 'global' object on the scope chain: we set globalObj
+         * to the scope chain element with no parent, and we reached it
+         * starting from the function closure or the current scopeChain, so
+         * there is nothing inner to it. Therefore this must be the right base
+         * object.
          */
         stack(0, w.immpObjGC(obj));
         return ARECORD_CONTINUE;