[INFER] Fix broken test for integer properties in AnalyzeNewScriptProperties, bug 660597.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 31 May 2011 07:31:35 -0700
changeset 75125 d6857a2609d5b4c003ed1175f6dec31db5dbca91
parent 75124 0cc71b0c30f4231241dee050b18cef2ca45d46b4
child 75126 0d8de54ff33232b0024937ecd7ee714c7613a951
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs660597
milestone6.0a1
[INFER] Fix broken test for integer properties in AnalyzeNewScriptProperties, bug 660597.
js/src/jit-test/tests/basic/bug660597.js
js/src/jsinfer.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug660597.js
@@ -0,0 +1,5 @@
+
+function foo() {
+  with(foo) this["00"]=function(){}
+}
+new foo;
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -4449,17 +4449,23 @@ AnalyzeNewScriptProperties(JSContext *cx
         pc = script->code + uses->offset;
         UntrapOpcode untrapUse(cx, script, pc);
 
         op = JSOp(*pc);
 
         JSObject *obj = *pbaseobj;
 
         if (op == JSOP_SETPROP && uses->u.which == 1) {
-            jsid id = GetAtomId(cx, script, pc, 0);
+            /*
+             * Don't use GetAtomId here, we need to watch for SETPROP on
+             * integer properties and bail out. We can't mark the aggregate
+             * JSID_VOID type property as being in a definite slot.
+             */
+            unsigned index = js_GetIndexFromBytecode(cx, script, pc, 0);
+            jsid id = ATOM_TO_JSID(script->getAtom(index));
             if (MakeTypeId(cx, id) != id)
                 return false;
             if (id == id_prototype(cx) || id == id___proto__(cx) || id == id_constructor(cx))
                 return false;
 
             unsigned slotSpan = obj->slotSpan();
             if (!DefineNativeProperty(cx, obj, id, UndefinedValue(), NULL, NULL,
                                       JSPROP_ENUMERATE, 0, 0, DNP_SKIP_TYPE)) {