From 03fcb98c2b7362c2407f18a149f2a3aec3f95d9b Mon Sep 17 00:00:00 2001 From: Jeff Walden Date: Wed, 12 Feb 2014 13:21:16 -0800 Subject: [PATCH] Bug 961494 - Adjust an assertion to properly handle objects with built-in properties stored in reserved slots, where the last property of such an object may use a reserved slot that's not the last reserved slot. r=jorendorff, f=bhackett --- js/src/jsapi-tests/moz.build | 1 + .../testFreshGlobalEvalRedefinition.cpp | 47 +++++++++++++++++++ .../Exceptions/error-expando-reconfigure.js | 28 +++++++++++ js/src/vm/Shape.cpp | 14 +++++- 4 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 js/src/jsapi-tests/testFreshGlobalEvalRedefinition.cpp create mode 100644 js/src/tests/ecma_5/Exceptions/error-expando-reconfigure.js diff --git a/js/src/jsapi-tests/moz.build b/js/src/jsapi-tests/moz.build index 4bd7d131dbb5..35c99aefa029 100644 --- a/js/src/jsapi-tests/moz.build +++ b/js/src/jsapi-tests/moz.build @@ -29,6 +29,7 @@ UNIFIED_SOURCES += [ 'testException.cpp', 'testExternalStrings.cpp', 'testFindSCCs.cpp', + 'testFreshGlobalEvalRedefinition.cpp', 'testFuncCallback.cpp', 'testFunctionProperties.cpp', 'testGCExactRooting.cpp', diff --git a/js/src/jsapi-tests/testFreshGlobalEvalRedefinition.cpp b/js/src/jsapi-tests/testFreshGlobalEvalRedefinition.cpp new file mode 100644 index 000000000000..58489a1f0c28 --- /dev/null +++ b/js/src/jsapi-tests/testFreshGlobalEvalRedefinition.cpp @@ -0,0 +1,47 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- + * vim: set ts=8 sts=4 et sw=4 tw=99: + */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "jsapi-tests/tests.h" + +static bool +GlobalEnumerate(JSContext *cx, JS::Handle obj) +{ + return JS_EnumerateStandardClasses(cx, obj); +} + +static bool +GlobalResolve(JSContext *cx, JS::Handle obj, JS::Handle id) +{ + bool resolved = false; + return JS_ResolveStandardClass(cx, obj, id, &resolved); +} + +BEGIN_TEST(testRedefineGlobalEval) +{ + static const JSClass cls = { + "global", JSCLASS_GLOBAL_FLAGS, + JS_PropertyStub, JS_DeletePropertyStub, JS_PropertyStub, JS_StrictPropertyStub, + GlobalEnumerate, GlobalResolve, JS_ConvertStub + }; + + /* Create the global object. */ + JS::CompartmentOptions options; + options.setVersion(JSVERSION_LATEST); + JS::Rooted g(cx, JS_NewGlobalObject(cx, &cls, nullptr, JS::FireOnNewGlobalHook, options)); + if (!g) + return false; + + JSAutoCompartment ac(cx, g); + JS::Rooted v(cx); + CHECK(JS_GetProperty(cx, g, "Object", &v)); + + static const char data[] = "Object.defineProperty(this, 'eval', { configurable: false });"; + CHECK(JS_EvaluateScript(cx, g, data, mozilla::ArrayLength(data) - 1, __FILE__, __LINE__, v.address())); + + return true; +} +END_TEST(testRedefineGlobalEval) diff --git a/js/src/tests/ecma_5/Exceptions/error-expando-reconfigure.js b/js/src/tests/ecma_5/Exceptions/error-expando-reconfigure.js new file mode 100644 index 000000000000..c70ff5f853be --- /dev/null +++ b/js/src/tests/ecma_5/Exceptions/error-expando-reconfigure.js @@ -0,0 +1,28 @@ +/* + * Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/licenses/publicdomain/ + */ + +var gTestfile = "error-expando-reconfigure.js" +//----------------------------------------------------------------------------- +var BUGNUMBER = 961494; +var summary = + "Reconfiguring the first expando property added to an Error object " + + "shouldn't assert"; + +print(BUGNUMBER + ": " + summary); + +/************** + * BEGIN TEST * + **************/ + +var err = new Error(); // no message argument => no err.message property +err.expando = 17; +Object.defineProperty(err, "expando", { configurable: false }); + +/******************************************************************************/ + +if (typeof reportCompare === "function") + reportCompare(true, true); + +print("Tests complete"); diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp index 440a7e7232b7..ef033ceeccf4 100644 --- a/js/src/vm/Shape.cpp +++ b/js/src/vm/Shape.cpp @@ -352,10 +352,20 @@ JSObject::getChildPropertyOnDictionary(ThreadSafeContext *cx, JS::HandleObject o return nullptr; child.setSlot(slot); } else { - /* Slots can only be allocated out of order on objects in dictionary mode. */ + /* + * Slots can only be allocated out of order on objects in + * dictionary mode. Otherwise the child's slot must be after the + * parent's slot (if it has one), because slot number determines + * slot span for objects with that shape. Usually child slot + * *immediately* follows parent slot, but there may be a slot gap + * when the object uses some -- but not all -- of its reserved + * slots to store properties. + */ JS_ASSERT(obj->inDictionaryMode() || parent->hasMissingSlot() || - child.slot() == parent->maybeSlot() + 1); + child.slot() == parent->maybeSlot() + 1 || + (parent->maybeSlot() + 1 < JSSLOT_FREE(obj->getClass()) && + child.slot() == JSSLOT_FREE(obj->getClass()))); } }