Bug 965898 - Don't reuse the JSPropertyDescriptor in BaseProxyHandler::keys. r=gabor
authorBobby Holley <bobbyholley@gmail.com>
Wed, 30 Jul 2014 12:23:03 -0700
changeset 196846 2a6260b2ae9c9e8209ede753f7fd505fe55fb038
parent 196845 92d1c61c3cdfd301a1a6d3127ac186c67037d765
child 196847 60dcc2593586391ef35aa365e4ecab8543d02421
push id46984
push userbobbyholley@gmail.com
push dateWed, 30 Jul 2014 19:24:00 +0000
treeherdermozilla-inbound@22e1b7b69877 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgabor
bugs965898
milestone34.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 965898 - Don't reuse the JSPropertyDescriptor in BaseProxyHandler::keys. r=gabor This causes garbage from a previous lookup to propagate into subsequent lookups, and creates confusing situations (like having both a value and a getter).
js/src/jsproxy.cpp
--- a/js/src/jsproxy.cpp
+++ b/js/src/jsproxy.cpp
@@ -232,26 +232,26 @@ BaseProxyHandler::keys(JSContext *cx, Ha
 {
     assertEnteredPolicy(cx, proxy, JSID_VOID, ENUMERATE);
     JS_ASSERT(props.length() == 0);
 
     if (!getOwnPropertyNames(cx, proxy, props))
         return false;
 
     /* Select only the enumerable properties through in-place iteration. */
-    Rooted<PropertyDescriptor> desc(cx);
     RootedId id(cx);
     size_t i = 0;
     for (size_t j = 0, len = props.length(); j < len; j++) {
         JS_ASSERT(i <= j);
         id = props[j];
         if (JSID_IS_SYMBOL(id))
             continue;
 
         AutoWaivePolicy policy(cx, proxy, id, BaseProxyHandler::GET);
+        Rooted<PropertyDescriptor> desc(cx);
         if (!getOwnPropertyDescriptor(cx, proxy, id, &desc))
             return false;
         if (desc.object() && desc.isEnumerable())
             props[i++].set(id);
     }
 
     JS_ASSERT(i <= props.length());
     props.resize(i);