From 2c2a097eddfbee3a393df7acc65ad16545715358 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 3 Dec 2010 11:46:53 -0800 Subject: [PATCH] Fix crash in ic::Name with weird scope chains (bug 616508, r=dmandelin). --- js/src/jit-test/tests/jaeger/bug616508.js | 9 +++++++++ js/src/methodjit/PolyIC.cpp | 21 ++++++++++----------- 2 files changed, 19 insertions(+), 11 deletions(-) create mode 100644 js/src/jit-test/tests/jaeger/bug616508.js diff --git a/js/src/jit-test/tests/jaeger/bug616508.js b/js/src/jit-test/tests/jaeger/bug616508.js new file mode 100644 index 000000000000..8548ce4966c1 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/bug616508.js @@ -0,0 +1,9 @@ +// |jit-test| error: ReferenceError +// vim: set ts=4 sw=4 tw=99 et: +try { + (function () { + __proto__ = Uint32Array() + }()) +} catch (e) {}(function () { + length, ([eval()] ? x : 7) +})() diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp index 40f25d53e48c..1a52687e4012 100644 --- a/js/src/methodjit/PolyIC.cpp +++ b/js/src/methodjit/PolyIC.cpp @@ -1477,17 +1477,16 @@ class ScopeNameCompiler : public PICStubCompiler return false; } - if (!obj->isNative() || !holder->isNative()) { - if (!obj->getProperty(cx, ATOM_TO_JSID(atom), vp)) - return false; - } else { - const Shape *shape = getprop.shape; - JS_ASSERT(shape); - JSObject *normalized = obj; - if (obj->getClass() == &js_WithClass && !shape->hasDefaultGetter()) - normalized = js_UnwrapWithObject(cx, obj); - NATIVE_GET(cx, normalized, holder, shape, JSGET_METHOD_BARRIER, vp, return false); - } + // If the property was found, but we decided not to cache it, then + // take a slow path and do a full property fetch. + if (!getprop.shape) + return obj->getProperty(cx, ATOM_TO_JSID(atom), vp); + + const Shape *shape = getprop.shape; + JSObject *normalized = obj; + if (obj->getClass() == &js_WithClass && !shape->hasDefaultGetter()) + normalized = js_UnwrapWithObject(cx, obj); + NATIVE_GET(cx, normalized, holder, shape, JSGET_METHOD_BARRIER, vp, return false); return true; }