Beware non-native objects along scope and proto chains in property cache hit testing (418540, r=shaver).

2008-02-20 21:51:12 -08:00 · 2008-02-20 21:51:12 -08:00 · ae4797fd62
--- a/js/src/jsinterp.c
+++ b/js/src/jsinterp.c
@ -268,6 +268,7 @@ js_FullTestPropertyCache(JSContext *cx, jsbytecode *pc,
    }

    obj = *objp;
+    JS_ASSERT(OBJ_IS_NATIVE(obj));
    entry = &JS_PROPERTY_CACHE(cx).table[PROPERTY_CACHE_HASH_ATOM(atom, obj, NULL)];
    *entryp = entry;
    vcap = entry->vcap;
@ -307,7 +308,7 @@ js_FullTestPropertyCache(JSContext *cx, jsbytecode *pc,
    if (JOF_MODE(cs->format) == JOF_NAME) {
        while (vcap & (PCVCAP_SCOPEMASK << PCVCAP_PROTOBITS)) {
            tmp = LOCKED_OBJ_GET_PARENT(pobj);
-            if (!tmp)
+            if (!tmp || !OBJ_IS_NATIVE(tmp))
                break;
            JS_UNLOCK_OBJ(cx, pobj);
            pobj = tmp;
@ -320,7 +321,7 @@ js_FullTestPropertyCache(JSContext *cx, jsbytecode *pc,

    while (vcap & PCVCAP_PROTOMASK) {
        tmp = LOCKED_OBJ_GET_PROTO(pobj);
-        if (!tmp)
+        if (!tmp || !OBJ_IS_NATIVE(tmp))
            break;
        JS_UNLOCK_OBJ(cx, pobj);
        pobj = tmp;
--- a/js/src/jsinterp.h
+++ b/js/src/jsinterp.h
@ -280,7 +280,8 @@ js_FillPropertyCache(JSContext *cx, JSObject *obj, jsuword kshape,
            JS_LOCK_OBJ(cx, pobj);                                            \
            JS_ASSERT(PCVCAP_TAG(entry->vcap) <= 1);                          \
            if (PCVCAP_TAG(entry->vcap) == 1 &&                               \
-                (tmp_ = LOCKED_OBJ_GET_PROTO(pobj)) != NULL) {                \
+                (tmp_ = LOCKED_OBJ_GET_PROTO(pobj)) != NULL &&                \
+                OBJ_IS_NATIVE(tmp_)) {                                        \
                JS_UNLOCK_OBJ(cx, pobj);                                      \
                pobj = tmp_;                                                  \
                JS_LOCK_OBJ(cx, pobj);                                        \