From 1fd48d7c0136fdd49efbb90c98167cca95c51d40 Mon Sep 17 00:00:00 2001 From: Tooru Fujisawa Date: Fri, 15 Apr 2016 12:32:37 +0900 Subject: [PATCH] Bug 1263558 - Part 4: Call initBuiltinConstructor after defining properties in InitStringClass. r=till --- js/src/jit-test/tests/auto-regress/bug1263558.js | 16 ++++++++++++++++ js/src/jsstr.cpp | 6 +++--- 2 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 js/src/jit-test/tests/auto-regress/bug1263558.js diff --git a/js/src/jit-test/tests/auto-regress/bug1263558.js b/js/src/jit-test/tests/auto-regress/bug1263558.js new file mode 100644 index 000000000000..2377a57f9298 --- /dev/null +++ b/js/src/jit-test/tests/auto-regress/bug1263558.js @@ -0,0 +1,16 @@ +if (!('oomTest' in this)) + quit(); + +evalcx(` + eval('\ + var appendToActual = function(s) {};\ + gczeal = function() {};\ + gcslice = function() {};\ + selectforgc = function() {};\ + if (!("verifyprebarriers" in this)) {\ + verifyprebarriers = function() {};\ + }\ + '); + oomTest(() => eval('Array(..."")')); + Intl.NumberFormat.prototype.format(0); +`, newGlobal()); diff --git a/js/src/jsstr.cpp b/js/src/jsstr.cpp index 6e29c3bcdbb3..3467cb57f565 100644 --- a/js/src/jsstr.cpp +++ b/js/src/jsstr.cpp @@ -2767,9 +2767,6 @@ js::InitStringClass(JSContext* cx, HandleObject obj) if (!ctor) return nullptr; - if (!GlobalObject::initBuiltinConstructor(cx, global, JSProto_String, ctor, proto)) - return nullptr; - if (!LinkConstructorAndPrototype(cx, ctor, proto)) return nullptr; @@ -2786,6 +2783,9 @@ js::InitStringClass(JSContext* cx, HandleObject obj) if (!JS_DefineFunctions(cx, global, string_functions)) return nullptr; + if (!GlobalObject::initBuiltinConstructor(cx, global, JSProto_String, ctor, proto)) + return nullptr; + return proto; }