CallJSPropertyOp incorrectly called with obj instead of receiver in Shape::get (bug 648919, r=jorendorff).
authorAndreas Gal <gal@mozilla.com>
Sun, 10 Apr 2011 17:49:59 -0700
changeset 67941 d014f4c16b8564d6e773bec60a80d3c9dd503caf
parent 67940 d0c4ec536e5faf48ff40f717c46206312bcf29f1
child 67942 474e167e344acdc57eba2289233f1b95f4962756
child 74923 100ab867dda157e7cd2bb81d9780c0218526e083
push id19455
push usercleary@mozilla.com
push dateTue, 12 Apr 2011 03:42:33 +0000
treeherdermozilla-central@d208845094bf [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs648919
milestone2.2a1pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
CallJSPropertyOp incorrectly called with obj instead of receiver in Shape::get (bug 648919, r=jorendorff).
js/src/jscntxtinlines.h
js/src/jsscopeinlines.h
--- a/js/src/jscntxtinlines.h
+++ b/js/src/jscntxtinlines.h
@@ -736,22 +736,22 @@ CallJSNativeConstructor(JSContext *cx, j
     JS_ASSERT_IF(native != proxy_Construct && native != js::CallOrConstructBoundFunction &&
                  (!callee->isFunction() || callee->getFunctionPrivate()->u.n.clasp != &js_ObjectClass),
                  !vp->isPrimitive() && callee != &vp[0].toObject());
 
     return true;
 }
 
 JS_ALWAYS_INLINE bool
-CallJSPropertyOp(JSContext *cx, js::PropertyOp op, JSObject *obj, jsid id, js::Value *vp)
+CallJSPropertyOp(JSContext *cx, js::PropertyOp op, JSObject *receiver, jsid id, js::Value *vp)
 {
-    assertSameCompartment(cx, obj, id, *vp);
-    JSBool ok = op(cx, obj, id, vp);
+    assertSameCompartment(cx, receiver, id, *vp);
+    JSBool ok = op(cx, receiver, id, vp);
     if (ok)
-        assertSameCompartment(cx, obj, *vp);
+        assertSameCompartment(cx, receiver, *vp);
     return ok;
 }
 
 JS_ALWAYS_INLINE bool
 CallJSPropertyOpSetter(JSContext *cx, js::StrictPropertyOp op, JSObject *obj, jsid id,
                        JSBool strict, js::Value *vp)
 {
     assertSameCompartment(cx, obj, id, *vp);
--- a/js/src/jsscopeinlines.h
+++ b/js/src/jsscopeinlines.h
@@ -225,17 +225,17 @@ Shape::get(JSContext* cx, JSObject *rece
     }
 
     /*
      * |with (it) color;| ends up here, as do XML filter-expressions.
      * Avoid exposing the With object to native getters.
      */
     if (obj->getClass() == &js_WithClass)
         obj = js_UnwrapWithObject(cx, obj);
-    return js::CallJSPropertyOp(cx, getterOp(), obj, SHAPE_USERID(this), vp);
+    return js::CallJSPropertyOp(cx, getterOp(), receiver, SHAPE_USERID(this), vp);
 }
 
 inline bool
 Shape::set(JSContext* cx, JSObject* obj, bool strict, js::Value* vp) const
 {
     JS_ASSERT_IF(hasDefaultSetter(), hasGetterValue());
 
     if (attrs & JSPROP_SETTER) {