Watch for native functions when cloning methods accessed by fun.caller, bug 709634. r=luke
authorBrian Hackett <bhackett1024@gmail.com>
Thu, 15 Dec 2011 09:17:11 -0800
changeset 82671 dacb8e36e8bd371f126fb67e64ee6e9e33f53bef
parent 82670 e9014ab86f5dc0634566fb4023ebb16045bc51ae
child 82672 abdc706d75d11b20bb301ab3cee062ceb01c06a8
push id21693
push userbmo@edmorley.co.uk
push dateFri, 16 Dec 2011 01:34:58 +0000
treeherdermozilla-central@c8b8b310f27e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs709634
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Watch for native functions when cloning methods accessed by fun.caller, bug 709634. r=luke
js/src/jit-test/tests/basic/bug709634.js
js/src/jsfun.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug709634.js
@@ -0,0 +1,6 @@
+
+Function.prototype.toString = function () f(this, true);
+function f(obj) {
+  f.caller.p
+}
+decodeURI + 3;
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -1043,16 +1043,17 @@ StackFrame::getValidCalleeObject(JSConte
                     return true;
                 }
 
                 if (shape->hasSlot()) {
                     Value v = thisp->getSlot(shape->slot());
                     JSFunction *clone;
 
                     if (IsFunctionObject(v, &clone) &&
+                        clone->isInterpreted() &&
                         clone->script() == fun->script() &&
                         clone->methodObj() == thisp) {
                         /*
                          * N.B. If the method barrier was on a function
                          * with singleton type, then while crossing the
                          * method barrier CloneFunctionObject will have
                          * ignored the attempt to clone the function.
                          */