fix failure restoring arguments object when aliased in try block

MikeHolman · MikeHolman · commit 9c4c3f9aed7b · 2019-06-06T15:51:42.000-07:00
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -1537,6 +1537,17 @@ GlobOpt::OptArguments(IR::Instr *instr)
             CannotAllocateArgumentsObjectOnStack(instr->m_func);
             return;
         }
+
+        // Disable stack args if we are aliasing arguments inside try block to a writethrough symbol.
+        // We don't have precise tracking of these symbols, so bailout couldn't know if it needs to restore arguments object or not after exception
+        Region* tryRegion = this->currentRegion ? this->currentRegion->GetSelfOrFirstTryAncestor() : nullptr;
+        if (tryRegion && tryRegion->GetType() == RegionTypeTry &&
+            tryRegion->writeThroughSymbolsSet &&
+            tryRegion->writeThroughSymbolsSet->Test(dst->AsRegOpnd()->m_sym->m_id))
+        {
+            CannotAllocateArgumentsObjectOnStack(instr->m_func);
+            return;
+        }
         if(!dst->AsRegOpnd()->GetStackSym()->m_nonEscapingArgObjAlias)
         {
             CurrentBlockData()->TrackArgumentsSym(dst->AsRegOpnd());
diff --git a/test/Optimizer/argrestoreintry.js b/test/Optimizer/argrestoreintry.js
@@ -0,0 +1,20 @@
+function bar() {
+    throw new Error();
+}
+function foo() {
+    try {
+        x = arguments;
+        bar();
+    } catch (e) {
+        return x.length;
+    } 
+    var x = {
+        j: 1,
+        k: 2.2
+    };
+}
+foo();
+foo();
+let pass = foo() === 0;
+
+print(pass ? "Pass" : "Fail")
diff --git a/test/Optimizer/rlexe.xml b/test/Optimizer/rlexe.xml
@@ -1611,4 +1611,10 @@
       <compile-flags>-maxinterpretcount:1 -maxsimplejitruncount:1</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>argrestoreintry.js</files>
+      <compile-flags>-maxinterpretcount:1 -maxsimplejitruncount:1</compile-flags>
+    </default>
+  </test>
 </regress-exe>
