From 96904e1794ccadffa9869c86f2edaba14faf07ec Mon Sep 17 00:00:00 2001
From: Wes Kocher <wkocher@mozilla.com>
Date: Wed, 29 Oct 2014 14:14:42 -0700
Subject: [PATCH] Backed out changeset 750b497aea43 (bug 1089761) for
 rootanalysis orange on a CLOSED TREE

---
 js/src/jit-test/tests/ion/bug1089761.js | 14 --------------
 js/src/vm/ScopeObject-inl.h             |  4 ++--
 js/src/vm/ScopeObject.cpp               |  5 +----
 3 files changed, 3 insertions(+), 20 deletions(-)
 delete mode 100644 js/src/jit-test/tests/ion/bug1089761.js

diff --git a/js/src/jit-test/tests/ion/bug1089761.js b/js/src/jit-test/tests/ion/bug1089761.js
deleted file mode 100644
index b2940b671408..000000000000
--- a/js/src/jit-test/tests/ion/bug1089761.js
+++ /dev/null
@@ -1,14 +0,0 @@
-var hits = 0;
-for (var j = 0; j < 9; ++j) {
-    try {
-        (function() {
-            (function() {
-                eval("x")
-                let x
-            })()
-        })()
-    } catch (e) {
-      hits++;
-    }
-}
-assertEq(hits, 9);
diff --git a/js/src/vm/ScopeObject-inl.h b/js/src/vm/ScopeObject-inl.h
index 26f4785e88a0..8176333f3f51 100644
--- a/js/src/vm/ScopeObject-inl.h
+++ b/js/src/vm/ScopeObject-inl.h
@@ -57,9 +57,9 @@ inline void
 CallObject::setAliasedLexicalsToThrowOnTouch(JSScript *script)
 {
     uint32_t aliasedLexicalBegin = script->bindings.aliasedBodyLevelLexicalBegin();
-    uint32_t aliasedLexicalEnd = slotSpan();
+    uint32_t aliasedLexicalEnd = numFixedSlots();
     for (uint32_t slot = aliasedLexicalBegin; slot < aliasedLexicalEnd; slot++)
-        initSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL));
+        initFixedSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL));
 }
 
 template <AllowGC allowGC>
diff --git a/js/src/vm/ScopeObject.cpp b/js/src/vm/ScopeObject.cpp
index fed7d2b96413..9547a6480543 100644
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -198,10 +198,6 @@ CallObject::createTemplateObject(JSContext *cx, HandleScript script, gc::Initial
     if (!obj)
         return nullptr;
 
-    // Set uninitialized lexicals even on template objects, as Ion will
-    // copy over the template object's slot values in the fast path.
-    obj->as<CallObject>().setAliasedLexicalsToThrowOnTouch(script);
-
     return &obj->as<CallObject>();
 }
 
@@ -221,6 +217,7 @@ CallObject::create(JSContext *cx, HandleScript script, HandleObject enclosing, H
 
     callobj->as<ScopeObject>().setEnclosingScope(enclosing);
     callobj->initFixedSlot(CALLEE_SLOT, ObjectOrNullValue(callee));
+    callobj->setAliasedLexicalsToThrowOnTouch(script);
 
     if (script->treatAsRunOnce()) {
         Rooted<CallObject*> ncallobj(cx, callobj);