Always generate new shapes when setting uncacheable flags after prototype changes, don't cache native iterators for objects with uncacheable prototypes, bug 705895.

2024-09-13 09:24:08 -07:00 · 2011-11-28 17:27:00 -08:00 · 2011-11-28 17:27:00 -08:00 · 031d257786
commit 031d257786
parent e970326d58
5 changed files with 31 additions and 6 deletions
--- a/js/src/jit-test/tests/basic/bug705895-1.js
+++ b/js/src/jit-test/tests/basic/bug705895-1.js
@ -0,0 +1,11 @@
+c = (0).__proto__
+function f(o) {
+    o.__proto__ = null
+    for (x in o) {}
+}
+for (i = 0; i < 9; i++) {
+    f(c)
+    Function.prototype.__proto__.__proto__ = c
+    for (x in Function.prototype.__proto__) {}
+    f(Math.__proto__)
+}
--- a/js/src/jit-test/tests/basic/bug705895-2.js
+++ b/js/src/jit-test/tests/basic/bug705895-2.js
@ -0,0 +1,13 @@
+// |jit-test| error: TypeError
+function f(o) {
+    for (j = 0; j < 9; j++) {
+        if (j) {
+            o.__proto__ = null
+        }
+        for (v in o) {}
+    }
+}
+for (i = 0; i < 9; i++) {
+    (new Boolean).__proto__.__defineGetter__("toString", function() {})
+    f(Boolean.prototype)
+}
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@ -622,6 +622,7 @@ GetIterator(JSContext *cx, JSObject *obj, uintN flags, Value *vp)
            JSObject *pobj = obj;
            do {
                if (!pobj->isNative() ||
+                    pobj->hasUncacheableProto() ||
                    obj->getOps()->enumerate ||
                    pobj->getClass()->enumerate != JS_EnumerateStub) {
                    shapes.clear();
--- a/js/src/jsscope.cpp
+++ b/js/src/jsscope.cpp
@ -1193,9 +1193,9 @@ JSObject::protoShapeChange(JSContext *cx)
     * See ResolvePrototype in dom/base/nsDOMClassInfo.cpp.
     */
    if (!lastProperty()->hasObjectFlag(BaseShape::CHANGED_PROTO))
-        return setFlag(cx, BaseShape::CHANGED_PROTO);
+        return setFlag(cx, BaseShape::CHANGED_PROTO, GENERATE_SHAPE);

-    return setFlag(cx, js::BaseShape::UNCACHEABLE_PROTO);
+    return setFlag(cx, BaseShape::UNCACHEABLE_PROTO, GENERATE_SHAPE);
 }

 bool
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -6055,8 +6055,8 @@ mjit::Compiler::iter(uintN flags)
    /* Compare shape of object with iterator. */
    masm.loadShape(reg, T1);
    masm.loadPtr(Address(nireg, offsetof(NativeIterator, shapes_array)), T2);
-    masm.load32(Address(T2, 0), T2);
-    Jump mismatchedObject = masm.branch32(Assembler::NotEqual, T1, T2);
+    masm.loadPtr(Address(T2, 0), T2);
+    Jump mismatchedObject = masm.branchPtr(Assembler::NotEqual, T1, T2);
    stubcc.linkExit(mismatchedObject, Uses(1));

    /* Compare shape of object's prototype with iterator. */
@ -6064,8 +6064,8 @@ mjit::Compiler::iter(uintN flags)
    masm.loadPtr(Address(T1, offsetof(types::TypeObject, proto)), T1);
    masm.loadShape(T1, T1);
    masm.loadPtr(Address(nireg, offsetof(NativeIterator, shapes_array)), T2);
-    masm.load32(Address(T2, sizeof(uint32)), T2);
-    Jump mismatchedProto = masm.branch32(Assembler::NotEqual, T1, T2);
+    masm.loadPtr(Address(T2, sizeof(Shape *)), T2);
+    Jump mismatchedProto = masm.branchPtr(Assembler::NotEqual, T1, T2);
    stubcc.linkExit(mismatchedProto, Uses(1));

    /*