Bug 1546228 - Check for dynamic protos in AddClearDefiniteGetterSetterForPrototypeChain. r=tcampbell
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 24 Apr 2019 19:36:17 +0000
changeset 531252 020e530d49b3b177902dad1048c90d7d9b290354
parent 531251 af2d798ce6b375492d44d7ed0b4060faad823bb5
child 531253 451701e88d92935b77385235832865dabe8c2942
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1546228
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1546228 - Check for dynamic protos in AddClearDefiniteGetterSetterForPrototypeChain. r=tcampbell This likely was exposed to fuzzing when we added WindowProxy to the shell. Differential Revision: https://phabricator.services.mozilla.com/D28667
js/src/jit-test/tests/ion/bug1546228.js
js/src/vm/TypeInference.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1546228.js
@@ -0,0 +1,10 @@
+function Obj() {
+    this.a = 1;
+}
+Obj.prototype = this;
+
+function test() {
+    return o.a;
+}
+var o = new Obj();
+test();
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3279,16 +3279,19 @@ bool js::AddClearDefiniteGetterSetterFor
                                                        HandleId id) {
   /*
    * Ensure that if the properties named here could have a getter, setter or
    * a permanent property in any transitive prototype, the definite
    * properties get cleared from the group.
    */
   RootedObject proto(cx, group->proto().toObjectOrNull());
   while (proto) {
+    if (!proto->hasStaticPrototype()) {
+      return false;
+    }
     ObjectGroup* protoGroup = JSObject::getGroup(cx, proto);
     if (!protoGroup) {
       cx->recoverFromOutOfMemory();
       return false;
     }
     AutoSweepObjectGroup sweep(protoGroup);
     if (protoGroup->unknownProperties(sweep)) {
       return false;