Bug 449657 - JS_SealObject fails on Array objects (r=mrbkap, a=sayrer).

2008-12-07 00:03:12 -08:00 · 2008-12-07 00:03:12 -08:00 · 25f99f0b34
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@ -819,7 +819,7 @@ JS_DestroyRuntime(JSRuntime *rt)
        while ((cx = js_ContextIterator(rt, JS_TRUE, &iter)) != NULL) {
            fprintf(stderr,
 "JS API usage error: found live context at %p\n",
-                    cx);
+                    (void *) cx);
            cxcount++;
        }
        fprintf(stderr,
@ -3043,6 +3043,9 @@ JS_SealObject(JSContext *cx, JSObject *obj, JSBool deep)
    uint32 nslots, i;
    jsval v;

+    if (OBJ_IS_DENSE_ARRAY(cx, obj) && !js_MakeArraySlow(cx, obj))
+        return JS_FALSE;
+
    if (!OBJ_IS_NATIVE(obj)) {
        JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                             JSMSG_CANT_SEAL_OBJECT,
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -3849,6 +3849,15 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, jsval *vp,
    CHECK_FOR_STRING_INDEX(id);
    JS_COUNT_OPERATION(cx, JSOW_SET_PROPERTY);

+    /*
+     * We peek at OBJ_SCOPE(obj) without locking obj. Any race means a failure
+     * to seal before sharing, which is inherently ambiguous.
+     */
+    if (SCOPE_IS_SEALED(OBJ_SCOPE(obj)) && OBJ_SCOPE(obj)->object == obj) {
+        flags = JSREPORT_ERROR;
+        goto read_only_error;
+    }
+
    shape = OBJ_SHAPE(obj);
    protoIndex = js_LookupPropertyWithFlags(cx, obj, id, cx->resolveFlags,
                                            &pobj, &prop);
@ -3886,7 +3895,7 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, jsval *vp,

        attrs = sprop->attrs;
        if ((attrs & JSPROP_READONLY) ||
-            (SCOPE_IS_SEALED(scope) && pobj == obj)) {
+            (SCOPE_IS_SEALED(scope) && (attrs & JSPROP_SHARED))) {
            JS_UNLOCK_SCOPE(cx, scope);

            /*
@ -3973,11 +3982,6 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, jsval *vp,
    }

    if (!sprop) {
-        if (SCOPE_IS_SEALED(OBJ_SCOPE(obj)) && OBJ_SCOPE(obj)->object == obj) {
-            flags = JSREPORT_ERROR;
-            goto read_only_error;
-        }
-
        /*
         * Purge the property cache of now-shadowed id in obj's scope chain.
         * Do this early, before locking obj to avoid nesting locks.