Fix bug 454266 - js_FillPropertyCache uses the wrong scope's shape sometimes (r=mrbkap).
authorBrendan Eich <brendan@mozilla.org>
Mon, 08 Sep 2008 15:51:47 -0700
changeset 19079 728cf8bf1648f4ea344e34c71751df9768e63a54
parent 19078 73a0e8ebcbee014d2c49daaedad76e3769c9a362
child 19080 cc3609a48e1694101b20ebfb5d3611a0904dbede
push id1930
push usermrbkap@mozilla.com
push dateWed, 10 Sep 2008 06:40:47 +0000
treeherderautoland@ee61af1469cd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap
bugs454266
milestone1.9.1b1pre
Fix bug 454266 - js_FillPropertyCache uses the wrong scope's shape sometimes (r=mrbkap).
js/src/jsinterp.cpp
js/src/jstracer.cpp
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -253,17 +253,17 @@ js_FillPropertyCache(JSContext *cx, JSOb
      * shape if op is overtly mutating, to bias for the case where the mutator
      * udpates shape predictably.
      *
      * Note that an apparently non-mutating op such as JSOP_NAME may still
      * mutate the base object via, e.g., lazy standard class initialization,
      * but that is a one-time event and we'll have to miss the old shape and
      * re-fill under the new one.
      */
-    if (!(cs->format & (JOF_SET | JOF_INCDEC)))
+    if (!(cs->format & (JOF_SET | JOF_INCDEC)) && obj == pobj)
         kshape = scope->shape;
 
     khash = PROPERTY_CACHE_HASH_PC(pc, kshape);
     if (obj == pobj) {
         JS_ASSERT(kshape != 0 || scope->shape != 0);
         JS_ASSERT(scopeIndex == 0 && protoIndex == 0);
         JS_ASSERT(OBJ_SCOPE(obj)->object == obj);
     } else {
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -3453,17 +3453,17 @@ TraceRecorder::test_property_cache_direc
         return false;
 
     /* No such property means invalid slot, which callers must check for first. */
     if (PCVAL_IS_NULL(pcval)) {
         slot = SPROP_INVALID_SLOT;
         return true;
     }
 
-    /* Insist if setting on obj being the directly addressed object. */
+    /* If modifying the slot, insist on obj being the directly addressed object. */
     uint32 setflags = (js_CodeSpec[*cx->fp->regs->pc].format & (JOF_SET | JOF_INCDEC));
     if (setflags && obj2 != obj)
         ABORT_TRACE("JOF_SET opcode hit prototype chain");
 
     /* Don't trace getter or setter calls, our caller wants a direct slot. */
     if (PCVAL_IS_SPROP(pcval)) {
         JSScopeProperty* sprop = PCVAL_TO_SPROP(pcval);