wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 781214 - Ensure plain-ness of template object before looking up properties on it in jsop_initprop. (r=mjrosenb)

Browse Source
This commit is contained in:
Kannan Vijayan 2012-08-08 18:51:24 -04:00
parent 58946389e1
commit e59f7bb0f6
1 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
js/src/ion/IonBuilder.cpp
View File

@ -3937,6 +3937,20 @@ IonBuilder::jsop_initelem_dense()
return true;
}
static bool
CanEffectlesslyCallLookupGenericOnObject(JSObject *obj)
{
JSObject *pobj = obj;
while (pobj) {
if (!pobj->isNative())
return false;
if (pobj->getClass()->ops.lookupProperty)
return false;
pobj = pobj->getProto();
}
return true;
}
bool
IonBuilder::jsop_initprop(HandlePropertyName name)
{
@ -3950,6 +3964,9 @@ IonBuilder::jsop_initprop(HandlePropertyName name)
return abort("INITPROP Monitored initprop");
}
if (!CanEffectlesslyCallLookupGenericOnObject(templateObject))
return abort("INITPROP template object is special");
RootedObject holder(cx);
RootedShape shape(cx);
RootedId id(cx, NameToId(name));
@ -4266,14 +4283,8 @@ TestSingletonProperty(JSContext *cx, JSObject *obj, HandleId id, bool *isKnownCo
*isKnownConstant = false;
JSObject *pobj = obj;
while (pobj) {
if (!pobj->isNative())
return true;
if (pobj->getClass()->ops.lookupProperty)
return true;
pobj = pobj->getProto();
}
if (!CanEffectlesslyCallLookupGenericOnObject(obj))
return true;
RootedObject holder(cx);
RootedShape shape(cx);
@ -5251,12 +5262,8 @@ IonBuilder::TestCommonPropFunc(JSContext *cx, types::TypeSet *types, HandleId id
// Turns out that we need to check for a property lookup op, else we
// will end up calling it mid-compilation.
JSObject *walker = curObj;
while (walker) {
if (!walker->isNative() || walker->getClass()->ops.lookupProperty)
return true;
walker = walker->getProto();
}
if (!CanEffectlesslyCallLookupGenericOnObject(curObj))
return true;
RootedObject proto(cx);
RootedShape shape(cx);