From 39d50a6b8e831ff687d037dd927ac7273da771d8 Mon Sep 17 00:00:00 2001 From: David Mandelin Date: Mon, 9 Nov 2009 15:36:41 -0800 Subject: [PATCH] Bug 525028: don't set args object properties from trace, r=dvander --- js/src/jsfun.cpp | 14 +++++++++----- js/src/jstracer.cpp | 3 +++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/js/src/jsfun.cpp b/js/src/jsfun.cpp index b399b2a0fed..feb38fd0d6a 100644 --- a/js/src/jsfun.cpp +++ b/js/src/jsfun.cpp @@ -555,17 +555,21 @@ ArgGetter(JSContext *cx, JSObject *obj, jsval idval, jsval *vp) static JSBool ArgSetter(JSContext *cx, JSObject *obj, jsval idval, jsval *vp) { + // To be able to set a property here on trace, we would have to make + // sure any updates also get written back to the trace native stack. + // For simplicity, we just leave trace, since this is presumably not + // a common operation. + if (JS_ON_TRACE(cx)) { + js_DeepBail(cx); + return false; + } + if (!JS_InstanceOf(cx, obj, &js_ArgumentsClass, NULL)) return true; if (JSVAL_IS_INT(idval)) { uintN arg = uintN(JSVAL_TO_INT(idval)); if (arg < GetArgsLength(obj)) { - if (js_GetArgsPrivateNative(obj)) { - js_LeaveTrace(cx); - return false; - } - JSStackFrame *fp = (JSStackFrame *) obj->getPrivate(); if (fp) { fp->argv[arg] = *vp; diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp index c8a9bf9e5a3..86e4be37130 100644 --- a/js/src/jstracer.cpp +++ b/js/src/jstracer.cpp @@ -11827,6 +11827,9 @@ TraceRecorder::record_JSOP_SETELEM() LIns* idx_ins = get(&idx); LIns* v_ins = get(&v); + if (JS_InstanceOf(cx, obj, &js_ArgumentsClass, NULL)) + RETURN_STOP_A("can't trace setting elements of the |arguments| object"); + if (!JSVAL_IS_INT(idx)) { if (!JSVAL_IS_PRIMITIVE(idx)) RETURN_STOP_A("non-primitive index");