From 22ba7f297366f1a9181988c5ace75b260720d9a8 Mon Sep 17 00:00:00 2001 From: Brian Hackett Date: Sun, 13 Mar 2011 21:29:30 -0700 Subject: [PATCH] [INFER] Watch out computing 'new' value for functions given a non-function type via setting __proto__, bug 640993. --- js/src/jit-test/tests/basic/bug640993.js | 7 +++++++ js/src/jsinfer.cpp | 16 +++++++++------- 2 files changed, 16 insertions(+), 7 deletions(-) create mode 100644 js/src/jit-test/tests/basic/bug640993.js diff --git a/js/src/jit-test/tests/basic/bug640993.js b/js/src/jit-test/tests/basic/bug640993.js new file mode 100644 index 00000000000..45ce0856a31 --- /dev/null +++ b/js/src/jit-test/tests/basic/bug640993.js @@ -0,0 +1,7 @@ +function f() { + return f; +} +f.__proto__ = null; +gc(); +f(); +new f(); diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp index 808739a223f..8982c5169b9 100644 --- a/js/src/jsinfer.cpp +++ b/js/src/jsinfer.cpp @@ -3646,15 +3646,17 @@ AnalyzeScriptNew(JSContext *cx, JSScript *script) * Compute the 'this' type when called with 'new'. We do not distinguish regular * from 'new' calls to the function. */ - TypeFunction *funType = script->fun->getType()->asFunction(); - if (funType->unknownProperties || script->fun->isFunctionPrototype()) { + + if (script->fun->getType()->unknownProperties || script->fun->isFunctionPrototype()) { script->thisTypes()->addType(cx, TYPE_UNKNOWN); - } else { - TypeSet *prototypeTypes = funType->getProperty(cx, id_prototype(cx), false); - if (!prototypeTypes) - return; - prototypeTypes->addNewObject(cx, script, funType, script->thisTypes()); + return; } + + TypeFunction *funType = script->fun->getType()->asFunction(); + TypeSet *prototypeTypes = funType->getProperty(cx, id_prototype(cx), false); + if (!prototypeTypes) + return; + prototypeTypes->addNewObject(cx, script, funType, script->thisTypes()); } /////////////////////////////////////////////////////////////////////