Bug 1067009 - Don't assume that someRegExp.source is an atom. r=billm
authorBobby Holley <bobbyholley@gmail.com>
Wed, 01 Oct 2014 17:22:15 +0200
changeset 208220 b9a03ef2866326f6c777cc556dc5951c90599d52
parent 208219 691f25f5e6b3a0e72600186eb6e576d87285eda1
child 208221 41a8bae313cc3464fa21db9be558c8cf47b5c76c
push id27580
push userkwierso@gmail.com
push dateWed, 01 Oct 2014 23:26:55 +0000
treeherderautoland@af6c928893c0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs1067009
milestone35.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1067009 - Don't assume that someRegExp.source is an atom. r=billm
js/src/builtin/RegExp.cpp
--- a/js/src/builtin/RegExp.cpp
+++ b/js/src/builtin/RegExp.cpp
@@ -250,17 +250,19 @@ CompileRegExpObject(JSContext *cx, RegEx
         /*
          * 'toSource' is a permanent read-only property, so this is equivalent
          * to executing RegExpObject::getSource on the unwrapped object.
          */
         RootedValue v(cx);
         if (!JSObject::getProperty(cx, sourceObj, sourceObj, cx->names().source, &v))
             return false;
 
-        Rooted<JSAtom*> sourceAtom(cx, &v.toString()->asAtom());
+        // For proxies like CPOWs, we can't assume the result of a property get
+        // for 'source' is atomized.
+        Rooted<JSAtom*> sourceAtom(cx, AtomizeString(cx, v.toString()));
         RegExpObject *reobj = builder.build(sourceAtom, flags);
         if (!reobj)
             return false;
 
         args.rval().setObject(*reobj);
         return true;
     }