Bug 829813 - Add more checks for dense element lookup results, r=billmm.

2013-01-14 14:46:32 -07:00 · 2013-01-14 14:46:32 -07:00 · 6660659ff1
--- a/js/src/jit-test/tests/basic/bug829813.js
+++ b/js/src/jit-test/tests/basic/bug829813.js
@ -0,0 +1,6 @@
+
+for (x in [0]) {
+    (function() {
+        return Object.propertyIsEnumerable
+    })().call([0], x)
+}
--- a/js/src/jit-test/tests/basic/bug829821.js
+++ b/js/src/jit-test/tests/basic/bug829821.js
@ -0,0 +1,5 @@
+
+
+x = [];
+x.unshift(Uint8ClampedArray);
+x.forEach(Array.prototype.push.bind(new Uint8ClampedArray))
--- a/js/src/jit-test/tests/basic/bug830045.js
+++ b/js/src/jit-test/tests/basic/bug830045.js
@ -0,0 +1,6 @@
+
+Array.prototype[1] = 'y';
+var a = [0, (8)];
+for (var i in a) {
+    delete a[1];
+}
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@ -3311,7 +3311,7 @@ TypeObject::addProperty(JSContext *cx, jsid id, Property **pprop)
        return false;
    }

-    if (singleton) {
+    if (singleton && singleton->isNative()) {
        /*
         * Fill the property in with any type the object already has in an own
         * property. We are only interested in plain native properties and
@ -3338,7 +3338,7 @@ TypeObject::addProperty(JSContext *cx, jsid id, Property **pprop)
                    base->types.addType(cx, type);
                }
            }
-        } else if (!JSID_IS_EMPTY(id) && singleton->isNative()) {
+        } else if (!JSID_IS_EMPTY(id)) {
            UnrootedShape shape = singleton->nativeLookup(cx, id);
            if (shape)
                UpdatePropertyType(cx, &base->types, rSingleton, shape, false);
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@ -1103,7 +1103,7 @@ SuppressDeletedPropertyHelper(JSContext *cx, HandleObject obj, StringPredicate p
                        if (prop) {
                            unsigned attrs;
                            if (obj2->isNative())
-                                attrs = prop->attributes();
+                                attrs = IsImplicitProperty(prop) ? JSPROP_ENUMERATE : prop->attributes();
                            else if (!JSObject::getGenericAttributes(cx, obj2, id, &attrs))
                                return false;

--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -270,7 +270,7 @@ js::GetOwnPropertyDescriptor(JSContext *cx, HandleObject obj, HandleId id,

    bool doGet = true;
    if (pobj->isNative()) {
-        desc->attrs = IsImplicitProperty(shape) ? JSPROP_ENUMERATE : shape->attributes();
+        desc->attrs = GetShapeAttributes(shape);
        if (desc->attrs & (JSPROP_GETTER | JSPROP_SETTER)) {
            doGet = false;
            if (desc->attrs & JSPROP_GETTER)
@ -3975,7 +3975,7 @@ baseops::GetAttributes(JSContext *cx, HandleObject obj, HandleId id, unsigned *a
    if (!nobj->isNative())
        return JSObject::getGenericAttributes(cx, nobj, id, attrsp);

-    *attrsp = shape->attributes();
+    *attrsp = GetShapeAttributes(shape);
    return true;
 }

@ -3993,7 +3993,7 @@ baseops::GetElementAttributes(JSContext *cx, HandleObject obj, uint32_t index, u
    if (!nobj->isNative())
        return JSObject::getElementAttributes(cx, nobj, index, attrsp);

-    *attrsp = shape->attributes();
+    *attrsp = GetShapeAttributes(shape);
    return true;
 }

@ -4006,6 +4006,11 @@ baseops::SetAttributes(JSContext *cx, HandleObject obj, HandleId id, unsigned *a
        return false;
    if (!shape)
        return true;
+    if (nobj->isNative() && IsImplicitProperty(shape)) {
+        if (!JSObject::sparsifyDenseElement(cx, nobj, JSID_TO_INT(id)))
+            return false;
+        shape = obj->nativeLookup(cx, id);
+    }
    return nobj->isNative()
           ? JSObject::changePropertyAttributes(cx, nobj, shape, *attrsp)
           : JSObject::setGenericAttributes(cx, nobj, id, attrsp);
@ -4020,6 +4025,11 @@ baseops::SetElementAttributes(JSContext *cx, HandleObject obj, uint32_t index, u
        return false;
    if (!shape)
        return true;
+    if (nobj->isNative() && IsImplicitProperty(shape)) {
+        if (!JSObject::sparsifyDenseElement(cx, obj, index))
+            return false;
+        shape = obj->nativeLookup(cx, INT_TO_JSID(index));
+    }
    return nobj->isNative()
           ? JSObject::changePropertyAttributes(cx, nobj, shape, *attrsp)
           : JSObject::setElementAttributes(cx, nobj, index, attrsp);
@ -4282,13 +4292,12 @@ js::CheckAccess(JSContext *cx, JSObject *obj_, HandleId id, JSAccessMode mode,
            break;
        }

-        if (IsImplicitProperty(shape)) {
-            *attrsp = JSPROP_ENUMERATE;
-            if (!writing)
+        *attrsp = GetShapeAttributes(shape);
+
+        if (!writing) {
+            if (IsImplicitProperty(shape)) {
                vp.set(pobj->getDenseElement(JSID_TO_INT(id)));
-        } else {
-            *attrsp = shape->attributes();
-            if (!writing) {
+            } else {
                if (shape->hasSlot())
                    vp.set(pobj->nativeGetSlot(shape->slot()));
                else
--- a/js/src/jsscopeinlines.h
+++ b/js/src/jsscopeinlines.h
@ -511,6 +511,12 @@ IsImplicitProperty(HandleShape prop)
    return prop.get() == reinterpret_cast<Shape*>(1);
 }

+static inline uint8_t
+GetShapeAttributes(HandleShape shape)
+{
+    return IsImplicitProperty(shape) ? JSPROP_ENUMERATE : shape->attributes();
+}
+
 } /* namespace js */

 #endif /* jsscopeinlines_h___ */