Bug 1206700 - Fix an bug in property assignment, recently exposed by Reflect.set. r=waldo

SetExistingProperty() contains a fast path for the case when pobj and
receiver refer to the same object. Ordinarily, if that much is true,
then obj also refers to the same object, but with Reflect.set() it is
possible to arrange for receiver == pobj to be true while obj is some
other object.
This commit is contained in:
Jason Orendorff 2015-10-01 09:37:46 -05:00
Родитель 9fe43dfb43
Коммит c006ac8bbd
2 изменённых файлов: 10 добавлений и 1 удалений

Просмотреть файл

@ -0,0 +1,9 @@
var x = {};
Reflect.set(x, "prop", 5, Object.prototype);
var y = {};
Reflect.set(y, "prop", 6, Object.prototype);
assertEq(x.hasOwnProperty("prop"), false);
assertEq(y.hasOwnProperty("prop"), false);
assertEq(Object.prototype.prop, 6);
reportCompare(0, 0, "ok");

Просмотреть файл

@ -2244,7 +2244,7 @@ SetExistingProperty(JSContext* cx, HandleNativeObject obj, HandleId id, HandleVa
Rooted<ArrayObject*> arr(cx, &pobj->as<ArrayObject>()); Rooted<ArrayObject*> arr(cx, &pobj->as<ArrayObject>());
return ArraySetLength(cx, arr, id, shape->attributes(), v, result); return ArraySetLength(cx, arr, id, shape->attributes(), v, result);
} }
return NativeSetExistingDataProperty(cx, obj, shape, v, receiver, result); return NativeSetExistingDataProperty(cx, pobj, shape, v, receiver, result);
} }
// SpiderMonkey special case: assigning to an inherited slotless // SpiderMonkey special case: assigning to an inherited slotless