From 374edb776d80ccc555a48063148788f8d64cdbe4 Mon Sep 17 00:00:00 2001
From: Eric Faust <efaust@mozilla.com>
Date: Tue, 17 Jul 2012 17:26:37 -0700
Subject: [PATCH] Bug 774257 - Fix accessor inlining for watched objects.
 (r=dvander)

---
 js/src/ion/IonBuilder.cpp                |  8 ++++++++
 js/src/jit-test/tests/ion/bug774257-1.js |  8 ++++++++
 js/src/jit-test/tests/ion/bug774257-2.js | 10 ++++++++++
 3 files changed, 26 insertions(+)
 create mode 100644 js/src/jit-test/tests/ion/bug774257-1.js
 create mode 100644 js/src/jit-test/tests/ion/bug774257-2.js

diff --git a/js/src/ion/IonBuilder.cpp b/js/src/ion/IonBuilder.cpp
index 266f3d0afd7..0d2e1d5fd64 100644
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@@ -4962,6 +4962,14 @@ IonBuilder::TestCommonPropFunc(JSContext *cx, types::TypeSet *types, HandleId id
         while (curObj != foundProto) {
             if (curObj->getType(cx)->unknownProperties())
                 return true;
+
+            // If anyone on the chain is watched, TI thinks they have an own
+            // property, which means if they were to actually overwrite the
+            // property accessors, we would never know, since we are freezing on
+            // setting that flag.
+            if (!isGetter && curObj->watched())
+                return true;
+
             curObj = curObj->getProto();
         }
     }
diff --git a/js/src/jit-test/tests/ion/bug774257-1.js b/js/src/jit-test/tests/ion/bug774257-1.js
new file mode 100644
index 00000000000..9c998a028eb
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug774257-1.js
@@ -0,0 +1,8 @@
+Object.defineProperty(Object.prototype, 'x', { 
+    set: function() { evalcx('lazy'); } 
+});
+var obj = {};
+obj.watch("x", function (id, oldval, newval) {});
+for (var str in 'A') {
+    obj.x = 1;
+}
diff --git a/js/src/jit-test/tests/ion/bug774257-2.js b/js/src/jit-test/tests/ion/bug774257-2.js
new file mode 100644
index 00000000000..b31043b0890
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug774257-2.js
@@ -0,0 +1,10 @@
+Object.defineProperty(Object.prototype, 'x', { 
+    set: function() { evalcx('lazy'); } 
+});
+var obj = {};
+var prot = {};
+obj.__proto__ = prot;
+obj.watch("x", function (id, oldval, newval) {});
+for (var str in 'A') {
+    obj.x = 1;
+}