Bug 876098 - Make sure to not skip calling addProperty hooks when objects have them. Otherwise DOM expandos can go AWOL. r=djvj, a=akeybl
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 30 May 2013 13:01:38 -0400
changeset 142799 4acfd400902a17b4e6ff4ee804549c3452d10e08
parent 142798 1e5d085c9b129e5122b62dc8cc51a8ec6c9f787f
child 142800 568a6e1cc1a891e942610719870b8780a26a2fad
push id2579
push userakeybl@mozilla.com
push dateMon, 24 Jun 2013 18:52:47 +0000
treeherdermozilla-beta@b69b7de8a05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdjvj, akeybl
bugs876098
milestone23.0a2
Bug 876098 - Make sure to not skip calling addProperty hooks when objects have them. Otherwise DOM expandos can go AWOL. r=djvj, a=akeybl
dom/tests/mochitest/bugs/Makefile.in
dom/tests/mochitest/bugs/test_bug876098.html
js/src/ion/IonCaches.cpp
--- a/dom/tests/mochitest/bugs/Makefile.in
+++ b/dom/tests/mochitest/bugs/Makefile.in
@@ -140,11 +140,12 @@ MOCHITEST_FILES	= \
 		test_protochains.html \
 		test_bug817476.html \
 		test_bug823173.html \
 		test_bug850517.html \
 		test_bug848088.html \
 		test_resize_move_windows.html \
 		test_bug862540.html \
 		test_bug857555.html \
+		test_bug876098.html \
 		$(NULL)
 
 include $(topsrcdir)/config/rules.mk
new file mode 100644
--- /dev/null
+++ b/dom/tests/mochitest/bugs/test_bug876098.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=876098
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 876098</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 876098 **/
+  var div = document.createElement("div");
+  // count has to be large enough to trigger ion-compilation
+  var count = 2000;
+  // Separate function to make sure nothing weird we do block the ion-compile
+  (function() {
+    for (var i = 0; i < count; ++i) {
+      var span = document.createElement("span");
+      span.x = "foo";
+      div.appendChild(span);
+    }
+  })();
+
+  SpecialPowers.gc();
+
+  function allHaveProp() {
+    var kids = div.childNodes;
+    for (var i = 0; i < count; ++i) {
+      if (kids[i].x != "foo") {
+        return false;
+      }
+    }
+    return true;
+  }
+
+  ok(allHaveProp(), "All spans should have the property we added");
+
+
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=876098">Mozilla Bug 876098</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
--- a/js/src/ion/IonCaches.cpp
+++ b/js/src/ion/IonCaches.cpp
@@ -1930,16 +1930,21 @@ IsPropertyAddInlineable(JSContext *cx, H
     RootedShape shape(cx, obj->nativeLookup(cx, id));
     if (!shape || shape->inDictionary() || !shape->hasSlot() || !shape->hasDefaultSetter())
         return false;
 
     // If object has a non-default resolve hook, don't inline
     if (obj->getClass()->resolve != JS_ResolveStub)
         return false;
 
+    // Likewise for a non-default addProperty hook, since we'll need
+    // to invoke it.
+    if (obj->getClass()->addProperty != JS_PropertyStub)
+        return false;
+
     if (!obj->isExtensible() || !shape->writable())
         return false;
 
     // walk up the object prototype chain and ensure that all prototypes
     // are native, and that all prototypes have no getter or setter
     // defined on the property
     for (JSObject *proto = obj->getProto(); proto; proto = proto->getProto()) {
         // if prototype is non-native, don't optimize