[INFER] Fix type handler for Object.valueOf, add testcase, bug 643244.
authorBrian Hackett <bhackett1024@gmail.com>
Sun, 20 Mar 2011 10:43:38 -0700
changeset 74824 a0052afaf27fe2c345ee2ee3228f67fce47f6b11
parent 74823 6ca659590941271ff5af4fb31a29360bff871e67
child 74825 507c4273633ada1a092e62469b7d04f899f78108
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs643244
milestone2.0b13pre
[INFER] Fix type handler for Object.valueOf, add testcase, bug 643244.
js/src/jit-test/tests/basic/bug643243.js
js/src/jit-test/tests/basic/bug643244.js
js/src/jsobj.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug643243.js
@@ -0,0 +1,11 @@
+{
+    function newSandbox(n) {}
+}
+var o12 = Float32Array.prototype;
+function f12(o) {
+    eval('o')['__proto_' + '_'] = null;
+}
+for (var i = 0; i < 14; i++) {
+    gc()
+    new f12(o12);
+}
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug643244.js
@@ -0,0 +1,2 @@
+delete(0).__proto__.valueOf
+eval("(function(){(0).valueOf();<x/>})")()
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -2841,17 +2841,17 @@ const char js_isPrototypeOf_str[] = "isP
 const char js_propertyIsEnumerable_str[] = "propertyIsEnumerable";
 
 static JSFunctionSpec object_methods[] = {
 #if JS_HAS_TOSOURCE
     JS_FN_TYPE(js_toSource_str,             obj_toSource,                0,0, JS_TypeHandlerString),
 #endif
     JS_FN_TYPE(js_toString_str,             obj_toString,                0,0, JS_TypeHandlerString),
     JS_FN_TYPE(js_toLocaleString_str,       obj_toLocaleString,          0,0, JS_TypeHandlerString),
-    JS_FN_TYPE(js_valueOf_str,              obj_valueOf,                 0,0, JS_TypeHandlerThis),
+    JS_FN_TYPE(js_valueOf_str,              obj_valueOf,                 0,0, JS_TypeHandlerDynamic),
 #if JS_HAS_OBJ_WATCHPOINT
     JS_FN_TYPE(js_watch_str,                obj_watch,                   2,0, JS_TypeHandlerVoid),
     JS_FN_TYPE(js_unwatch_str,              obj_unwatch,                 1,0, JS_TypeHandlerVoid),
 #endif
     JS_FN_TYPE(js_hasOwnProperty_str,       obj_hasOwnProperty,          1,0, JS_TypeHandlerBool),
     JS_FN_TYPE(js_isPrototypeOf_str,        obj_isPrototypeOf,           1,0, JS_TypeHandlerBool),
     JS_FN_TYPE(js_propertyIsEnumerable_str, obj_propertyIsEnumerable,    1,0, JS_TypeHandlerBool),
 #if OLD_GETTER_SETTER_METHODS