Fix for JSCLASS_NEW_RESOLVE-related bug in js_FillPropertyCache, found by Mike Moening <MikeM@RetekSolutions.com> (418989, r=shaver, a=beltzner).
authorbrendan@mozilla.org
Wed, 19 Mar 2008 17:44:59 -0700
changeset 13342 d86cfa9cc572daaf15473e9e3b6283d9795feeef
parent 13341 63e3861f185658a626a155891386487b8ae9c838
child 13343 aa2a6d65e3f51af708710bb581e36b281e0deff0
push idunknown
push userunknown
push dateunknown
reviewersshaver, beltzner
bugs418989
milestone1.9b5pre
Fix for JSCLASS_NEW_RESOLVE-related bug in js_FillPropertyCache, found by Mike Moening <MikeM@RetekSolutions.com> (418989, r=shaver, a=beltzner).
js/src/jsinterp.c
js/src/jsinterp.h
--- a/js/src/jsinterp.c
+++ b/js/src/jsinterp.c
@@ -150,17 +150,22 @@ js_FillPropertyCache(JSContext *cx, JSOb
      */
     JS_ASSERT_IF(scopeIndex == 0 && protoIndex == 0, obj == pobj);
     if (protoIndex != 0) {
         JSObject *tmp;
 
         JS_ASSERT(pobj != obj);
         protoIndex = 1;
         tmp = obj;
-        while ((tmp = OBJ_GET_PROTO(cx, tmp)) != NULL) {
+        for (;;) {
+            tmp = OBJ_GET_PROTO(cx, tmp);
+            if (!tmp) {
+                PCMETER(cache->noprotos++);
+                return;
+            }
             if (tmp == pobj)
                 break;
             ++protoIndex;
         }
     }
     if (scopeIndex > PCVCAP_SCOPEMASK || protoIndex > PCVCAP_PROTOMASK) {
         PCMETER(cache->longchains++);
         return;
@@ -420,16 +425,17 @@ js_FlushPropertyCache(JSContext *cx)
 # define P(mem) fprintf(fp, "%11s %10lu\n", #mem, (unsigned long)cache->mem)
         P(fills);
         P(nofills);
         P(rofills);
         P(disfills);
         P(oddfills);
         P(modfills);
         P(brandfills);
+        P(noprotos);
         P(longchains);
         P(recycles);
         P(pcrecycles);
         P(tests);
         P(pchits);
         P(protopchits);
         P(initests);
         P(inipchits);
--- a/js/src/jsinterp.h
+++ b/js/src/jsinterp.h
@@ -185,16 +185,17 @@ typedef struct JSPropertyCache {
     uint32              fills;          /* number of cache entry fills */
     uint32              nofills;        /* couldn't fill (e.g. default get) */
     uint32              rofills;        /* set on read-only prop can't fill */
     uint32              disfills;       /* fill attempts on disabled cache */
     uint32              oddfills;       /* fill attempt after setter deleted */
     uint32              modfills;       /* fill that rehashed to a new entry */
     uint32              brandfills;     /* scope brandings to type structural
                                            method fills */
+    uint32              noprotos;       /* resolve-returned non-proto pobj */
     uint32              longchains;     /* overlong scope and/or proto chain */
     uint32              recycles;       /* cache entries recycled by fills */
     uint32              pcrecycles;     /* pc-keyed entries recycled by atom-
                                            keyed fills */
     uint32              tests;          /* cache probes */
     uint32              pchits;         /* fast-path polymorphic op hits */
     uint32              protopchits;    /* pchits hitting immediate prototype */
     uint32              initests;       /* cache probes from JSOP_INITPROP */