Bug 945294 - Add a missing is<JSFunction> check to annotateGetPropertyCache. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 03 Dec 2013 19:18:10 +0100
changeset 158616 a9aaef3ab91f2f0abbcfb775e5553045b0808cc6
parent 158615 361907c4a2ce95f67a6f618ecf7cf10a57cbc653
child 158617 bac9d5883f366bde9b6d8c1a8728fc9df93e3258
push id25752
push usercbook@mozilla.com
push dateWed, 04 Dec 2013 08:35:03 +0000
treeherdermozilla-central@8187818246ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs945294
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 945294 - Add a missing is<JSFunction> check to annotateGetPropertyCache. r=bhackett
js/src/jit-test/tests/ion/bug945294.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug945294.js
@@ -0,0 +1,22 @@
+// |jit-test| error:is not a function
+var arr = [];
+
+var C = function () {};
+C.prototype.dump = function () {};
+arr[0] = new C;
+
+C = function () {};
+C.prototype.dump = this;
+arr[1] = new C;
+
+function f() {
+    for (var i = 0; i < arr.length; i++)
+        arr[i].dump();
+}
+
+try {
+    f();
+} catch (exc) {
+    assertEq(exc.message.contains("is not a function"), true);
+}
+f();
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -7998,17 +7998,17 @@ IonBuilder::annotateGetPropertyCache(MDe
         if (typeObj->unknownProperties() || !typeObj->proto().isObject())
             continue;
 
         types::HeapTypeSetKey ownTypes = typeObj->property(NameToId(name));
         if (ownTypes.isOwnProperty(constraints()))
             continue;
 
         JSObject *singleton = testSingletonProperty(typeObj->proto().toObject(), name);
-        if (!singleton)
+        if (!singleton || !singleton->is<JSFunction>())
             continue;
 
         // Don't add cases corresponding to non-observed pushes
         if (!pushedTypes->hasType(types::Type::ObjectType(singleton)))
             continue;
 
         if (!inlinePropTable->addEntry(alloc(), baseTypeObj, &singleton->as<JSFunction>()))
             return false;