Bug 1135718 - Convert unboxed plain objects to natives before changing their prototype, r=jandem.

2015-02-25 09:33:04 -06:00 · 2015-02-25 09:33:04 -06:00 · 512025dfa5
--- a/js/src/jit-test/tests/basic/bug1135718.js
+++ b/js/src/jit-test/tests/basic/bug1135718.js
@ -0,0 +1,13 @@
+
+setJitCompilerOption("ion.warmup.trigger", 30);
+function ArrayCallback(state)
+  this.state = state;
+ArrayCallback.prototype.isUpperCase = function(v, index, array) {
+    return this.state ? true : (v == v.toUpperCase());
+};
+strings = ['hello', 'Array', 'WORLD'];
+obj = new ArrayCallback(false);
+strings.filter(obj.isUpperCase, obj)
+obj = new ArrayCallback(true);
+strings.filter(obj.isUpperCase, obj)
+obj.__proto__ = {};
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -3182,6 +3182,11 @@ js::SetPrototype(JSContext *cx, HandleObject obj, HandleObject proto, bool *succ
            return false;
    }

+    // Convert unboxed objects to their native representations before changing
+    // their prototype/group, as they depend on the group for their layout.
+    if (obj->is<UnboxedPlainObject>() && !UnboxedPlainObject::convertToNative(cx, obj))
+        return false;
+
    Rooted<TaggedProto> taggedProto(cx, TaggedProto(proto));
    *succeeded = SetClassAndProto(cx, obj, obj->getClass(), taggedProto);
    return *succeeded;