Properly watch for indexed prototypes and configured properties in array prototype, bug 709067. r=luke

2024-09-13 09:24:08 -07:00 · 2011-12-15 08:51:09 -08:00 · 2011-12-15 08:51:09 -08:00 · 788d4d29a6
commit 788d4d29a6
parent 8fbe02a1f8
2 changed files with 23 additions and 10 deletions
--- a/js/src/jit-test/tests/jaeger/bug709067.js
+++ b/js/src/jit-test/tests/jaeger/bug709067.js
@ -0,0 +1,11 @@
+called = 0;
+Object.defineProperty(Object.prototype, 0, {set: function() { called++; }});
+function testInit()
+{
+  var a = [];
+  for (var i = 0; i < 5; i++)
+    a[i] = 0;
+}
+for (var i = 0; i < 100; i++)
+  testInit();
+assertEq(called, 100);
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -7702,17 +7702,19 @@ mjit::Compiler::arrayPrototypeHasIndexedProperty()

    JSObject *proto;
    if (!js_GetClassPrototype(cx, NULL, JSProto_Array, &proto, NULL))
-        return false;
-
-    /*
-     * It is sufficient to check just Array.prototype; if Object.prototype is
-     * unknown or has an indexed property, those will be reflected in
-     * Array.prototype.
-     */
-    if (proto->getType(cx)->unknownProperties())
        return true;
-    types::TypeSet *arrayTypes = proto->getType(cx)->getProperty(cx, JSID_VOID, false);
-    return !arrayTypes || arrayTypes->knownNonEmpty(cx);
+
+    while (proto) {
+        types::TypeObject *type = proto->getType(cx);
+        if (type->unknownProperties())
+            return true;
+        types::TypeSet *indexTypes = type->getProperty(cx, JSID_VOID, false);
+        if (!indexTypes || indexTypes->isOwnProperty(cx, type, true) || indexTypes->knownNonEmpty(cx))
+            return true;
+        proto = proto->getProto();
+    }
+
+    return false;
 }

 /*