Mercurial > integration > mozilla-inbound / changeset / dacb8e36e8bd371f126fb67e64ee6e9e33f53bef
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Watch for native functions when cloning methods accessed by fun.caller, bug 709634. r=luke
authorBrian Hackett <bhackett1024@gmail.com>
Thu, 15 Dec 2011 09:17:11 -0800
changeset 82667 dacb8e36e8bd371f126fb67e64ee6e9e33f53bef
parent 82666 e9014ab86f5dc0634566fb4023ebb16045bc51ae
child 82668 abdc706d75d11b20bb301ab3cee062ceb01c06a8
push id4050
push userbhackett@mozilla.com
push dateThu, 15 Dec 2011 17:17:24 +0000
treeherdermozilla-inbound@dacb8e36e8bd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs709634
milestone11.0a1
first release with
nightly linux32
5efcb9c3b375 / 11.0a1 / 20111216031140 / files
nightly linux64
5efcb9c3b375 / 11.0a1 / 20111216031140 / files
nightly mac
5efcb9c3b375 / 11.0a1 / 20111216031140 / files
nightly win32
5efcb9c3b375 / 11.0a1 / 20111216031140 / files
nightly win64
5efcb9c3b375 / 11.0a1 / 20111216031140 / files
last release without
nightly linux32
beac16509534 / 11.0a1 / 20111215031153 / files
nightly linux64
beac16509534 / 11.0a1 / 20111215031153 / files
nightly mac
beac16509534 / 11.0a1 / 20111215031153 / files
nightly win32
beac16509534 / 11.0a1 / 20111215031153 / files
nightly win64
beac16509534 / 11.0a1 / 20111215031153 / files
Watch for native functions when cloning methods accessed by fun.caller, bug 709634. r=luke
js/src/jit-test/tests/basic/bug709634.js file | annotate | diff | comparison | revisions
js/src/jsfun.cpp file | annotate | diff | comparison | revisions 
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug709634.js
@@ -0,0 +1,6 @@
+
+Function.prototype.toString = function () f(this, true);
+function f(obj) {
+  f.caller.p
+}
+decodeURI + 3;
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -1043,16 +1043,17 @@ StackFrame::getValidCalleeObject(JSConte
                     return true;
                 }
 
                 if (shape->hasSlot()) {
                     Value v = thisp->getSlot(shape->slot());
                     JSFunction *clone;
 
                     if (IsFunctionObject(v, &clone) &&
+                        clone->isInterpreted() &&
                         clone->script() == fun->script() &&
                         clone->methodObj() == thisp) {
                         /*
                          * N.B. If the method barrier was on a function
                          * with singleton type, then while crossing the
                          * method barrier CloneFunctionObject will have
                          * ignored the attempt to clone the function.
                          */
mozilla-inbound
Deployed from 4b0de666d1a4 at 2020-07-30T19:32:31Z.