| author | Kannan Vijayan <kvijayan@mozilla.com> |
| Wed, 12 Nov 2014 16:22:44 -0500 | |
| changeset 215371 | e3c785a79ee9daff1929c9bf00e89054a0453262 |
| parent 215370 | 2bf5a7209f06fad83b378134644dd39e744a5106 |
| child 215372 | 8dbb9eef253b62e71cde1a859967f279d996fb22 |
| push id | 27813 |
| push user | kwierso@gmail.com |
| push date | Thu, 13 Nov 2014 01:03:17 +0000 |
| treeherder | mozilla-central@64f1fb1e2f38 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | jandem |
| bugs | 1081850 |
| milestone | 36.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| js/src/jit-test/tests/baseline/bug1081850.js | file | annotate | diff | comparison | revisions | |
| js/src/jit/BaselineIC.cpp | file | annotate | diff | comparison | revisions |
new file mode 100644 --- /dev/null +++ b/js/src/jit-test/tests/baseline/bug1081850.js @@ -0,0 +1,18 @@ +// |jit-test| ion-eager + +var ARR = []; +try { + function f() { + ARR.push(eval.prototype) + } + f() + function eval()(0) + f() +} catch (e) {} + +if (ARR.length !== 2) + throw new Error("ERROR 1"); +if (typeof(ARR[0]) !== 'undefined') + throw new Error("ERROR 2"); +if (typeof(ARR[1]) !== 'object') + throw new Error("ERROR 3");
--- a/js/src/jit/BaselineIC.cpp +++ b/js/src/jit/BaselineIC.cpp @@ -3356,16 +3356,20 @@ CheckHasNoSuchProperty(JSContext *cx, Ha MOZ_ASSERT(protoChainDepthOut != nullptr); size_t depth = 0; RootedObject curObj(cx, obj); while (curObj) { if (!curObj->isNative()) return false; + // Don't handle proto chains with resolve hooks. + if (curObj->getClass()->resolve != JS_ResolveStub) + return false; + Shape *shape = curObj->as<NativeObject>().lookup(cx, NameToId(name)); if (shape) return false; JSObject *proto = curObj->getTaggedProto().toObjectOrNull(); if (!proto) break;