[INFER] Set standard class slots before updating type info, bug 649439.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 13 Apr 2011 07:09:21 -0700
changeset 74936 1de60bd27adbb75c1184f3d2227774f1b4e310cd
parent 74935 9eafb9ecc76a1c45523df01baf51a43b142c56a2
child 74937 14d8f4d012962c7811fc084d186a4e35f694c9d3
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs649439
milestone6.0a1
[INFER] Set standard class slots before updating type info, bug 649439.
js/src/jit-test/tests/basic/bug649439.js
js/src/jsobjinlines.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug649439.js
@@ -0,0 +1,3 @@
+var o1 = new String("abc");
+var o2 = o1[1];
+o2[1];
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -1484,24 +1484,27 @@ DefineConstructorAndPrototype(JSContext 
     JS_ASSERT(global->isGlobal());
     JS_ASSERT(!global->nativeEmpty()); /* reserved slots already allocated */
     JS_ASSERT(ctor);
     JS_ASSERT(proto);
 
     jsid id = ATOM_TO_JSID(cx->runtime->atomState.classAtoms[key]);
     JS_ASSERT(!global->nativeLookup(id));
 
-    if (!cx->addTypePropertyId(global->getType(), id, ObjectValue(*ctor)))
-        return false;
-
-    if (!global->addDataProperty(cx, id, key + JSProto_LIMIT * 2, 0))
-        return false;
-
+    /* Set these first in case addTypePropertyId looks for this class. */
     global->setSlot(key, ObjectValue(*ctor));
     global->setSlot(key + JSProto_LIMIT, ObjectValue(*proto));
+
+    if (!cx->addTypePropertyId(global->getType(), id, ObjectValue(*ctor)) ||
+        !global->addDataProperty(cx, id, key + JSProto_LIMIT * 2, 0)) {
+        global->setSlot(key, UndefinedValue());
+        global->setSlot(key + JSProto_LIMIT, UndefinedValue());
+        return false;
+    }
+
     global->setSlot(key + JSProto_LIMIT * 2, ObjectValue(*ctor));
     return true;
 }
 
 } /* namespace js */
 
 inline JSObject *
 js_GetProtoIfDenseArray(JSObject *obj)