Bug 1676631: Update local slots in SetFrameArgumentsObject r=jandem

iainireland · iainireland · commit 075258e4b82c · 2020-11-13T13:16:48.000Z
Differential Revision: https://phabricator.services.mozilla.com/D96928
diff --git a/js/src/vm/JSScript.cpp b/js/src/vm/JSScript.cpp
@@ -4725,6 +4725,15 @@ void js::SetFrameArgumentsObject(JSContext* cx, AbstractFramePtr frame,
       frame.unaliasedLocal(frameSlot) = ObjectValue(*argsobj);
     }
   }
+
+  // JS_OPTIMIZED_ARGUMENTS may also have been stored to a local slot
+  // during bailout. Update those local slots.
+  for (uint32_t i = 0; i < script->nfixed(); i++) {
+    Value& value = frame.unaliasedLocal(i);
+    if (value.isMagic() && value.whyMagic() == JS_OPTIMIZED_ARGUMENTS) {
+      frame.unaliasedLocal(i) = ObjectValue(*argsobj);
+    }
+  }
 }
 
 /* static */

Original file line number	Diff line number	Diff line change
`@@ -4725,6 +4725,15 @@ void js::SetFrameArgumentsObject(JSContext* cx, AbstractFramePtr frame,`
`4725`	`4725`	`frame.unaliasedLocal(frameSlot) = ObjectValue(*argsobj);`
`4726`	`4726`	`}`
`4727`	`4727`	`}`
	`4728`	`+`
	`4729`	`+ // JS_OPTIMIZED_ARGUMENTS may also have been stored to a local slot`
	`4730`	`+ // during bailout. Update those local slots.`
	`4731`	`+ for (uint32_t i = 0; i < script->nfixed(); i++) {`
	`4732`	`+ Value& value = frame.unaliasedLocal(i);`
	`4733`	`+ if (value.isMagic() && value.whyMagic() == JS_OPTIMIZED_ARGUMENTS) {`
	`4734`	`+ frame.unaliasedLocal(i) = ObjectValue(*argsobj);`
	`4735`	`+ }`
	`4736`	`+ }`
`4728`	`4737`	`}`
`4729`	`4738`
`4730`	`4739`	`/* static */`