#533: backout 'eliminate one potential cause' for crashes in GC

js/src/frontend/FullParseHandler.h

@@ -1018,14 +1018,6 @@ class FullParseHandler
         syntaxParser = nullptr;
     }
 
-    // TenFourFox issue 533, from M1263355
-    bool canSkipLazyInnerFunctions() {
-        return !!lazyOuterFunction_;
-    }
-    bool canSkipLazyClosedOverBindings() {
-        return !!lazyOuterFunction_;
-    }
-
     LazyScript* lazyOuterFunction() {
         return lazyOuterFunction_;
     }

js/src/frontend/Parser.cpp

@@ -1120,11 +1120,8 @@ Parser<FullParseHandler>::defineFunctionThis()
 
     // Also define a this-binding if direct eval is used, in derived class
     // constructors (JSOP_CHECKRETURN relies on it) or if there's a debugger
-    // statement, or if this is a lazy script that has a this-binding
-    // (TenFourFox issue 533).
+    // statement.
     if (pc->sc->hasDirectEval() ||
-        (handler.canSkipLazyClosedOverBindings() &&
-         pc->sc->asFunctionBox()->function()->lazyScript()->hasThisBinding()) ||
         pc->sc->asFunctionBox()->isDerivedClassConstructor() ||
         pc->sc->hasDebuggerStatement())
     {
@@ -2939,9 +2936,6 @@ Parser<SyntaxParseHandler>::finishFunctionDefinition(Node pn, FunctionBox* funbo
         lazy->setIsDerivedClassConstructor();
     if (funbox->needsHomeObject())
         lazy->setNeedsHomeObject();
-    // TenFourFox issue 533
-    if (funbox->hasThisBinding())
-        lazy->setHasThisBinding();
     PropagateTransitiveParseFlags(funbox, lazy);
 
     fun->initLazyScript(lazy);

js/src/jsscript.cpp

@@ -4282,7 +4282,6 @@ LazyScript::CreateRaw(ExclusiveContext* cx, HandleFunction fun,
     p.hasBeenCloned = false;
     p.treatAsRunOnce = false;
     p.isAsync = false;
-    p.hasThisBinding = false;
 
     size_t bytes = (p.numFreeVariables * sizeof(FreeVariable))
                  + (p.numInnerFunctions * sizeof(HeapPtrFunction));
@@ -4313,7 +4312,6 @@ LazyScript::CreateRaw(ExclusiveContext* cx, HandleFunction fun,
     };
 
     p.version = version;
-    p.hasThisBinding = false;
     p.numFreeVariables = numFreeVariables;
     p.isAsync = false;
     p.numInnerFunctions = numInnerFunctions;

js/src/jsscript.h

@@ -2150,7 +2150,7 @@ class LazyScript : public gc::TenuredCell
     // instead of private to suppress -Wunused-private-field compiler warnings.
   protected:
 #if JS_BITS_PER_WORD == 32
-    //uint32_t padding; // widened after TenFourFox issue 533
+    uint32_t padding;
 #endif
   private:
 
@@ -2158,7 +2158,8 @@ class LazyScript : public gc::TenuredCell
         // Assorted bits that should really be in ScriptSourceObject.
         uint32_t version : 8;
 
-        uint32_t numFreeVariables : 22;
+        uint32_t numFreeVariables : 23;
+        uint32_t isAsync: 1;
         uint32_t numInnerFunctions : 20;
 
         uint32_t generatorKindBits : 2;
@@ -2166,8 +2167,6 @@ class LazyScript : public gc::TenuredCell
         // N.B. These are booleans but need to be uint32_t to pack correctly on MSVC.
         // If you add another boolean here, make sure to initialze it in
         // LazyScript::CreateRaw().
-        uint32_t hasThisBinding : 1;
-        uint32_t isAsync: 1;
         uint32_t strict : 1;
         uint32_t bindingsAccessedDynamically : 1;
         uint32_t hasDebuggerStatement : 1;
@@ -2369,13 +2368,6 @@ class LazyScript : public gc::TenuredCell
         p_.needsHomeObject = true;
     }
 
-    bool hasThisBinding() const {
-        return p_.hasThisBinding;
-    }
-    void setHasThisBinding() {
-        p_.hasThisBinding = true;
-    }
-
     const char* filename() const {
         return scriptSource()->filename();
     }