Bug 980013 - Watch for length accesses on typed arrays with overridden prototypes, r=luke.
authorBrian Hackett <bhackett1024@gmail.com>
Thu, 06 Mar 2014 14:03:03 -0700
changeset 189566 6f8ea87eb8d135e2f7560e951c459a277d705c81
parent 189565 288cea1386a4e5068d092f2c69064f32539c643f
child 189567 a4b4d7ee674bd5a9f45eec2ad8c40f3bf4500f70
push id3503
push userraliiev@mozilla.com
push dateMon, 28 Apr 2014 18:51:11 +0000
treeherdermozilla-beta@c95ac01e332e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs980013
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 980013 - Watch for length accesses on typed arrays with overridden prototypes, r=luke.
js/src/jit-test/tests/basic/bug980013.js
js/src/jit/BaselineIC.cpp
js/src/vm/Interpreter-inl.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug980013.js
@@ -0,0 +1,9 @@
+
+x = new Uint8ClampedArray;
+x.__proto__ = {};
+Object.defineProperty(this, "y", {
+    get: function() {
+        return x.length;
+    }
+});
+assertEq(y, undefined);
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -6001,18 +6001,18 @@ TryAttachLengthStub(JSContext *cx, JSScr
         ICStub *newStub = compiler.getStub(compiler.getStubSpace(script));
         if (!newStub)
             return false;
 
         *attached = true;
         stub->addNewStub(newStub);
         return true;
     }
-    if (obj->is<TypedArrayObject>()) {
-        JS_ASSERT(res.isInt32());
+
+    if (obj->is<TypedArrayObject>() && res.isInt32()) {
         IonSpew(IonSpew_BaselineIC, "  Generating GetProp(TypedArray.length) stub");
         ICGetProp_TypedArrayLength::Compiler compiler(cx);
         ICStub *newStub = compiler.getStub(compiler.getStubSpace(script));
         if (!newStub)
             return false;
 
         *attached = true;
         stub->addNewStub(newStub);
--- a/js/src/vm/Interpreter-inl.h
+++ b/js/src/vm/Interpreter-inl.h
@@ -146,21 +146,16 @@ GetLengthProperty(const Value &lval, Mut
             ArgumentsObject *argsobj = &obj->as<ArgumentsObject>();
             if (!argsobj->hasOverriddenLength()) {
                 uint32_t length = argsobj->initialLength();
                 JS_ASSERT(length < INT32_MAX);
                 vp.setInt32(int32_t(length));
                 return true;
             }
         }
-
-        if (obj->is<TypedArrayObject>()) {
-            vp.setInt32(obj->as<TypedArrayObject>().length());
-            return true;
-        }
     }
 
     return false;
 }
 
 template <bool TypeOf> inline bool
 FetchName(JSContext *cx, HandleObject obj, HandleObject obj2, HandlePropertyName name,
           HandleShape shape, MutableHandleValue vp)