From 49aef6b26336367da92dba5dc1d9fcc50150b519 Mon Sep 17 00:00:00 2001
From: Eric Faust <efaustbmo@gmail.com>
Date: Wed, 19 Aug 2015 11:19:46 -0700
Subject: [PATCH] Bug 1185961 - Properly install home object on methods in
 classes in lazy scripts. (r=shu)

---
 js/src/frontend/Parser.cpp                    |  5 ++++
 js/src/jsscript.h                             | 10 +++++++-
 .../Class/superPropLazyInnerFunction.js       | 24 +++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 js/src/tests/ecma_6/Class/superPropLazyInnerFunction.js

diff --git a/js/src/frontend/Parser.cpp b/js/src/frontend/Parser.cpp
index 33a08619fc5a..9bb5bddf5595 100644
--- a/js/src/frontend/Parser.cpp
+++ b/js/src/frontend/Parser.cpp
@@ -2075,6 +2075,9 @@ Parser<FullParseHandler>::checkFunctionDefinition(HandlePropertyName funName,
         if (!funbox)
             return false;
 
+        if (fun->lazyScript()->needsHomeObject())
+            funbox->setNeedsHomeObject();
+
         if (!addFreeVariablesFromLazyFunction(fun, pc))
             return false;
 
@@ -2395,6 +2398,8 @@ Parser<SyntaxParseHandler>::finishFunctionDefinition(Node pn, FunctionBox* funbo
         lazy->setUsesArgumentsApplyAndThis();
     if (funbox->isDerivedClassConstructor())
         lazy->setIsDerivedClassConstructor();
+    if (funbox->needsHomeObject())
+        lazy->setNeedsHomeObject();
     PropagateTransitiveParseFlags(funbox, lazy);
 
     fun->initLazyScript(lazy);
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
index 3d3ae0467bba..e9497a0dc3d8 100644
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -2053,7 +2053,7 @@ class LazyScript : public gc::TenuredCell
         uint32_t version : 8;
 
         uint32_t numFreeVariables : 24;
-        uint32_t numInnerFunctions : 21;
+        uint32_t numInnerFunctions : 20;
 
         uint32_t generatorKindBits : 2;
 
@@ -2069,6 +2069,7 @@ class LazyScript : public gc::TenuredCell
         uint32_t hasBeenCloned : 1;
         uint32_t treatAsRunOnce : 1;
         uint32_t isDerivedClassConstructor : 1;
+        uint32_t needsHomeObject : 1;
     };
 
     union {
@@ -2247,6 +2248,13 @@ class LazyScript : public gc::TenuredCell
         p_.isDerivedClassConstructor = true;
     }
 
+    bool needsHomeObject() const {
+        return p_.needsHomeObject;
+    }
+    void setNeedsHomeObject() {
+        p_.needsHomeObject = true;
+    }
+
     const char* filename() const {
         return scriptSource()->filename();
     }
diff --git a/js/src/tests/ecma_6/Class/superPropLazyInnerFunction.js b/js/src/tests/ecma_6/Class/superPropLazyInnerFunction.js
new file mode 100644
index 000000000000..d5f90e081bc7
--- /dev/null
+++ b/js/src/tests/ecma_6/Class/superPropLazyInnerFunction.js
@@ -0,0 +1,24 @@
+var test = `
+testcase();
+function testcase() {
+    var tokenCodes  = {
+      get try() {
+        try {
+          super.actual();
+        } catch (e) {}
+      }
+    };
+    var arr = [
+        'try',
+    ];
+    for (var i = 0; i < arr.length; i++) {
+        if (tokenCodes[arr[i]] !== i) {};
+    }
+}
+`;
+
+if (classesEnabled())
+    eval(test);
+
+if (typeof reportCompare === 'function')
+    reportCompare(0,0,"OK");