Bug 1268574 - Check the outparam JSFunction* value after GetGetterPure. r=lth a=lizzard
authorTooru Fujisawa <arai_a@mac.com>
Fri, 29 Apr 2016 02:46:22 +0900
changeset 332692 28d54417440fbd929538bb85bedd281f21c05108
parent 332691 9fef9b8ac1983b982fbf016fbccf5a81fed013a4
child 332693 fb4552d95407a2a6ec0ef5b2924fc65797fc6e1e
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerslth, lizzard
bugs1268574
milestone48.0a2
Bug 1268574 - Check the outparam JSFunction* value after GetGetterPure. r=lth a=lizzard
js/src/jit-test/tests/basic/testArrayBufferSpeciesDelete.js
js/src/jit-test/tests/basic/testArraySpeciesDelete.js
js/src/jsarray.cpp
js/src/vm/TypedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testArrayBufferSpeciesDelete.js
@@ -0,0 +1,5 @@
+delete ArrayBuffer[Symbol.species];
+var a = new Uint8Array(new Uint8Array([1, 2]));
+assertEq(a.length, 2);
+assertEq(a[0], 1);
+assertEq(a[1], 2);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testArraySpeciesDelete.js
@@ -0,0 +1,5 @@
+delete Array[Symbol.species];
+var a = [1, 2, 3].slice(1);
+assertEq(a.length, 2);
+assertEq(a[0], 2);
+assertEq(a[1], 3);
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -918,16 +918,19 @@ IsArraySpecies(JSContext* cx, HandleObje
         return false;
 
     RootedObject ctorObj(cx, &ctor.toObject());
     RootedId speciesId(cx, SYMBOL_TO_JSID(cx->wellKnownSymbols().species));
     JSFunction* getter;
     if (!GetGetterPure(cx, ctorObj, speciesId, &getter))
         return false;
 
+    if (!getter)
+        return false;
+
     return IsSelfHostedFunctionWithName(getter, cx->names().ArraySpecies);
 }
 
 static bool
 ArraySpeciesCreate(JSContext* cx, HandleObject origArray, uint32_t length, MutableHandleObject arr)
 {
     RootedId createId(cx, NameToId(cx->names().ArraySpeciesCreate));
     RootedFunction create(cx, JS::GetSelfHostedFunction(cx, "ArraySpeciesCreate", createId, 2));
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -781,16 +781,19 @@ IsArrayBufferSpecies(JSContext* cx, Hand
         return false;
 
     RootedObject ctorObj(cx, &ctor.toObject());
     RootedId speciesId(cx, SYMBOL_TO_JSID(cx->wellKnownSymbols().species));
     JSFunction* getter;
     if (!GetGetterPure(cx, ctorObj, speciesId, &getter))
         return false;
 
+    if (!getter)
+        return false;
+
     return IsSelfHostedFunctionWithName(getter, cx->names().ArrayBufferSpecies);
 }
 
 static bool
 GetSpeciesConstructor(JSContext* cx, HandleObject obj, bool isWrapped, MutableHandleValue ctor)
 {
     if (!isWrapped) {
         if (!GlobalObject::ensureConstructor(cx, cx->global(), JSProto_ArrayBuffer))