[INFER] Always monitor accesses on __proto__ and similar properties,
bug 645044.
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/recompile/bug645044.js
@@ -0,0 +1,4 @@
+
+this.__defineGetter__("x", gc);
+x.__proto__ = this;
+__proto__ = 44;
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -834,38 +834,38 @@ GetPropertyObject(JSContext *cx, JSScrip
* here, whether via x.f, x[f], or global name accesses.
*/
static inline void
PropertyAccess(JSContext *cx, JSScript *script, const jsbytecode *pc, TypeObject *object,
bool assign, TypeSet *target, jsid id)
{
JS_ASSERT_IF(!target, assign);
- /* Reads from objects with unknown properties are unknown, writes to such objects are ignored. */
- if (object->unknownProperties) {
- if (!assign)
- target->addType(cx, TYPE_UNKNOWN);
- return;
- }
-
/* Monitor assigns on the 'prototype' property. */
if (assign && id == id_prototype(cx)) {
cx->compartment->types.monitorBytecode(cx, script, pc - script->code);
return;
}
/* Monitor accesses on other properties with special behavior we don't keep track of. */
if (id == id___proto__(cx) || id == id_constructor(cx) || id == id_caller(cx)) {
if (assign)
cx->compartment->types.monitorBytecode(cx, script, pc - script->code);
else
target->addType(cx, TYPE_UNKNOWN);
return;
}
+ /* Reads from objects with unknown properties are unknown, writes to such objects are ignored. */
+ if (object->unknownProperties) {
+ if (!assign)
+ target->addType(cx, TYPE_UNKNOWN);
+ return;
+ }
+
/* Capture the effects of a standard property access. */
if (target) {
TypeSet *types = object->getProperty(cx, id, assign);
if (!types)
return;
if (assign)
target->addSubset(cx, script, types);
else