From 6e4e0d61ae79c21670dbebfc2e59c1c436b68901 Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Sat, 7 Aug 2010 14:57:59 -0500
Subject: [PATCH] Bug 458271 - Property cache causes resolve hooks not to be
 called. r=brendan.

---
 dom/tests/mochitest/bugs/Makefile.in         |  1 +
 dom/tests/mochitest/bugs/test_bug458271.html | 48 ++++++++++++++++++++
 js/src/jspropertycache.cpp                   | 13 ++++--
 js/src/jstracer.cpp                          |  5 +-
 4 files changed, 62 insertions(+), 5 deletions(-)
 create mode 100644 dom/tests/mochitest/bugs/test_bug458271.html

diff --git a/dom/tests/mochitest/bugs/Makefile.in b/dom/tests/mochitest/bugs/Makefile.in
index 318dbafe297..63e35b5b20d 100644
--- a/dom/tests/mochitest/bugs/Makefile.in
+++ b/dom/tests/mochitest/bugs/Makefile.in
@@ -119,6 +119,7 @@ _TEST_FILES	= \
 		test_DOMWindowCreated_chromeonly.html \
 		test_bug581072.html \
 		test_bug583225.html \
+		test_bug458271.html \
 		$(NULL)
 
 libs:: 	$(_TEST_FILES)
diff --git a/dom/tests/mochitest/bugs/test_bug458271.html b/dom/tests/mochitest/bugs/test_bug458271.html
new file mode 100644
index 00000000000..dec3af0c42a
--- /dev/null
+++ b/dom/tests/mochitest/bugs/test_bug458271.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=458271
+-->
+<head>
+  <title>Test for Bug 458271</title>
+  <script type="application/javascript" src="/MochiKit/packed.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=458271">Mozilla Bug 458271</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+<script type="application/javascript">
+/** Test for Bug 458271 **/
+// Note: this test uses GC to force the property cache to be purged. If
+// bug 506341 is fixed, that won't work anymore, and this test will be
+// less reliable. (That is, regressing bug 458271 would cause this test to
+// fail randomly, not reliably.)
+
+var f;
+function lookup() {
+    return f.target;
+}
+
+var content = document.getElementById("content");
+for (var i = 0; i < 4; i++) {
+    content.innerHTML = '<form name="f"></form>';
+    f = document.forms.f;
+
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    Components.utils.forceGC();
+
+    f.innerHTML = '';  // make sure later f.innerHTML doesn't change shape
+    lookup();
+    lookup();          // nsIDOMHTMLFormElement.target goes into propcache
+    f.innerHTML = '<input type="text" name="target">';  // shadows f.target
+    is(typeof lookup(), "object",
+       "lookup must find form input, not shadowed DOM attribute");
+}
+</script>
+</pre>
+</body>
+</html>
diff --git a/js/src/jspropertycache.cpp b/js/src/jspropertycache.cpp
index ab9e8a94f60..f2b34baf031 100644
--- a/js/src/jspropertycache.cpp
+++ b/js/src/jspropertycache.cpp
@@ -101,13 +101,18 @@ PropertyCache::fill(JSContext *cx, JSObject *obj, uintN scopeIndex, uintN protoI
 
         protoIndex = 1;
         for (;;) {
-            tmp = tmp->getProto();
-
             /*
              * We cannot cache properties coming from native objects behind
-             * non-native ones on the prototype chain. The non-natives can
-             * mutate in arbitrary way without changing any shapes.
+             * non-native objects, or objects with resolve hooks, on the
+             * prototype chain. Such objects can mutate without changing any
+             * shapes.
              */
+            if (tmp->getClass()->resolve) {
+                PCMETER(noprotos++);
+                return JS_NO_PROP_CACHE_FILL;
+            }
+
+            tmp = tmp->getProto();
             if (!tmp || !tmp->isNative()) {
                 PCMETER(noprotos++);
                 return JS_NO_PROP_CACHE_FILL;
diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
index aa997c5a1b6..c1d61f6421a 100644
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -9443,7 +9443,6 @@ TraceRecorder::test_property_cache(JSObject* obj, LIns* obj_ins, JSObject*& obj2
     JS_PROPERTY_CACHE(cx).test(cx, pc, aobj, obj2, entry, atom);
     if (atom) {
         // Miss: pre-fill the cache for the interpreter, as well as for our needs.
-        // FIXME: bug 458271.
         jsid id = ATOM_TO_JSID(atom);
 
         // The lookup below may change object shapes.
@@ -9484,6 +9483,10 @@ TraceRecorder::test_property_cache(JSObject* obj, LIns* obj_ins, JSObject*& obj2
             if (prop) {
                 if (!obj2->isNative())
                     RETURN_STOP_A("property found on non-native object");
+
+                // This property cache fill is necessary for correctness! It
+                // returns JS_NO_PROP_CACHE_FILL if the above lookup called any
+                // resolve hooks, which must inhibit tracing. See bug 458271.
                 entry = JS_PROPERTY_CACHE(cx).fill(cx, aobj, 0, protoIndex, obj2,
                                                    (JSScopeProperty*) prop);
                 JS_ASSERT(entry);