Bug 1073702 - Check for uninitialized lexical bindings in FetchName and friends. (r=jandem)

js/src/jit-test/tests/ion/bug1073702.js

@@ -0,0 +1,10 @@
+try {
+  let x = ((function f(y) {
+    if (y > 0) {
+      f(-1)
+    }
+    x
+  })(1))
+} catch (e) {
+  assertEq(e instanceof ReferenceError, true);
+}

js/src/vm/Interpreter-inl.h

@@ -254,7 +254,10 @@ FetchName(JSContext *cx, HandleObject obj, HandleObject obj2, HandlePropertyName
             return false;
         }
     }
-    return true;
+
+    // NAME operations are the slow paths already, so unconditionally check
+    // for uninitialized lets.
+    return CheckUninitializedLexical(cx, name, vp);
 }
 
 inline bool
@@ -264,7 +267,7 @@ FetchNameNoGC(JSObject *pobj, Shape *shape, MutableHandleValue vp)
         return false;
 
     vp.set(pobj->nativeGetSlot(shape->slot()));
-    return true;
+    return !IsUninitializedLexical(vp);
 }
 
 inline bool

js/src/vm/Interpreter.cpp

@@ -298,17 +298,9 @@ NameOperation(JSContext *cx, InterpreterFrame *fp, jsbytecode *pc, MutableHandle
 
     /* Kludge to allow (typeof foo == "undefined") tests. */
     JSOp op2 = JSOp(pc[JSOP_NAME_LENGTH]);
-    if (op2 == JSOP_TYPEOF) {
-        if (!FetchName<true>(cx, scopeRoot, pobjRoot, nameRoot, shapeRoot, vp))
-            return false;
-    } else {
-        if (!FetchName<false>(cx, scopeRoot, pobjRoot, nameRoot, shapeRoot, vp))
-            return false;
-    }
-
-    // NAME operations are the slow paths already, so unconditionally check
-    // for uninitialized lets.
-    return CheckUninitializedLexical(cx, nameRoot, vp);
+    if (op2 == JSOP_TYPEOF)
+        return FetchName<true>(cx, scopeRoot, pobjRoot, nameRoot, shapeRoot, vp);
+    return FetchName<false>(cx, scopeRoot, pobjRoot, nameRoot, shapeRoot, vp);
 }
 
 static inline bool