[INFER] Scan entire prototype chain for a lookupProperty hook when nop-ing accesses on singleton objects, bug 673788.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 25 Jul 2011 15:00:42 -0700
changeset 76073 60cb5a22dc10d5e6be28e70770cbcda8b42edbc0
parent 76072 681d2903edb79aa46050872ee0962aa6527c178e
child 76074 4c2a1bf1b1ca65a21cafa138d1dce23ddb40af03
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
bugs673788
milestone8.0a1
[INFER] Scan entire prototype chain for a lookupProperty hook when nop-ing accesses on singleton objects, bug 673788.
js/src/jit-test/tests/jaeger/bug673788.js
js/src/methodjit/Compiler.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug673788.js
@@ -0,0 +1,10 @@
+// |jit-test| error: ReferenceError
+p = Proxy.create({
+  has: function() {}
+})
+Object.prototype.__proto__ = p
+n = [];
+(function() {
+  var a = [];
+  if (b) t = a.s()
+})()
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -4617,20 +4617,24 @@ mjit::Compiler::testSingletonProperty(JS
      *
      * If the access definitely goes through obj, either directly or on the
      * prototype chain, then if obj has a defined property now, and the
      * property has a default or method shape, the only way it can produce
      * undefined in the future is if it is deleted. Deletion causes type
      * properties to be explicitly marked with undefined.
      */
 
-    if (!obj->isNative())
-        return false;
-    if (obj->getClass()->ops.lookupProperty)
-        return false;
+    JSObject *nobj = obj;
+    while (nobj) {
+        if (!nobj->isNative())
+            return false;
+        if (nobj->getClass()->ops.lookupProperty)
+            return false;
+        nobj = nobj->getProto();
+    }
 
     JSObject *holder;
     JSProperty *prop = NULL;
     if (!obj->lookupProperty(cx, id, &holder, &prop))
         return false;
     if (!prop)
         return false;