Bug 951213 - Improve robustness when rolling back properties after the definite properties analysis fails, r=jandem.

2024-09-13 09:24:08 -07:00 · 2013-12-20 13:04:08 -07:00 · 2013-12-20 13:04:08 -07:00 · 23c5951660
commit 23c5951660
parent 5e5f586850
4 changed files with 28 additions and 7 deletions
--- a/js/src/jit-test/tests/basic/bug951213.js
+++ b/js/src/jit-test/tests/basic/bug951213.js
@ -0,0 +1,8 @@
+
+setObjectMetadataCallback(function(obj) {});
+function foo(x, y) {
+  this.g = x + y;
+}
+var a = 0;
+var b = { valueOf: function() Object.defineProperty(Object.prototype, 'g', {}) };
+var c = new foo(a, b);
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@ -3129,8 +3129,10 @@ TypeObject::clearNewScriptAddendum(ExclusiveContext *cx)
                }
            }

-            if (!finished)
-                obj->rollbackProperties(cx, numProperties);
+            if (!finished) {
+                if (!obj->rollbackProperties(cx, numProperties))
+                    cx->compartment()->types.setPendingNukeTypes(cx);
+            }
        }
    } else {
        // Threads with an ExclusiveContext are not allowed to run scripts.
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -416,7 +416,7 @@ class JSObject : public js::ObjectImpl
            elements[i].js::HeapSlot::~HeapSlot();
    }

-    void rollbackProperties(js::ExclusiveContext *cx, uint32_t slotSpan);
+    bool rollbackProperties(js::ExclusiveContext *cx, uint32_t slotSpan);

    void nativeSetSlot(uint32_t slot, const js::Value &value) {
        JS_ASSERT(isNative());
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@ -1156,7 +1156,7 @@ JSObject::clear(JSContext *cx, HandleObject obj)
    obj->checkShapeConsistency();
 }

-void
+bool
 JSObject::rollbackProperties(ExclusiveContext *cx, uint32_t slotSpan)
 {
    /*
@ -1165,10 +1165,21 @@ JSObject::rollbackProperties(ExclusiveContext *cx, uint32_t slotSpan)
     * removal of the last properties.
     */
    JS_ASSERT(!inDictionaryMode() && slotSpan <= this->slotSpan());
-    while (this->slotSpan() != slotSpan) {
-        JS_ASSERT(lastProperty()->hasSlot() && getSlot(lastProperty()->slot()).isUndefined());
-        removeLastProperty(cx);
+    while (true) {
+        if (lastProperty()->isEmptyShape()) {
+            JS_ASSERT(slotSpan == 0);
+            break;
+        } else {
+            uint32_t slot = lastProperty()->slot();
+            if (slot < slotSpan)
+                break;
+            JS_ASSERT(getSlot(slot).isUndefined());
+        }
+        if (!removeProperty(cx, lastProperty()->propid()))
+            return false;
    }
+
+    return true;
 }

 Shape *