Bug 1190727 - Make initialization of temporary results array resilient against Array.prototype setters in self-hosted Map#next implementation. r=jandem
authorTill Schneidereit <till@tillschneidereit.net>
Tue, 04 Aug 2015 14:58:27 +0200
changeset 287761 c6ee8f383e9ee8816e13400591261c68b33cb3dd
parent 287760 4ecae4a2b9ca9c5b0d804d04943490ac7f743f37
child 287762 f6e8002ff07d390dd2fcb31612b0e8649549783e
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1190727
milestone42.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1190727 - Make initialization of temporary results array resilient against Array.prototype setters in self-hosted Map#next implementation. r=jandem
js/src/builtin/Map.js
--- a/js/src/builtin/Map.js
+++ b/js/src/builtin/Map.js
@@ -42,21 +42,18 @@ function MapIteratorNext() {
     // Steps 2-3.
     if (!IsObject(O) || !IsMapIterator(O))
         return callFunction(CallMapIteratorMethodIfWrapped, O, "MapIteratorNext");
 
     // Steps 4-5 (implemented in _GetNextMapEntryForIterator).
     // Steps 8-9 (omitted).
 
     var mapIterationResultPair = iteratorTemp.mapIterationResultPair;
-    if (!mapIterationResultPair) {
-        mapIterationResultPair = iteratorTemp.mapIterationResultPair = NewDenseArray(2);
-        mapIterationResultPair[0] = null;
-        mapIterationResultPair[1] = null;
-    }
+    if (!mapIterationResultPair)
+        mapIterationResultPair = iteratorTemp.mapIterationResultPair = [null, null];
 
     var retVal = {value: undefined, done: true};
 
     // Step 10.a, 11.
     var done = _GetNextMapEntryForIterator(O, mapIterationResultPair);
     if (!done) {
         // Steps 10.b-c (omitted).