Bug 1189744 - Fix crash after GetOwnPropertyDescriptor failed to populate all fields of desc. r=jandem, a=rkothari.
authorJason Orendorff <jorendorff@mozilla.com>
Tue, 04 Aug 2015 18:16:08 -0500
changeset 281923 d60f375bf2eb
parent 281922 1587bada854f
child 281924 f949fd1f62f8
push id4956
push userjorendorff@mozilla.com
push dateFri, 14 Aug 2015 03:37:37 +0000
treeherdermozilla-beta@d60f375bf2eb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, rkothari
bugs1189744
milestone41.0
Bug 1189744 - Fix crash after GetOwnPropertyDescriptor failed to populate all fields of desc. r=jandem, a=rkothari.
js/src/jit-test/tests/basic/bug1189744.js
js/src/jsobj.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1189744.js
@@ -0,0 +1,11 @@
+var obj;
+for (var i = 0; i < 100; i++)
+    obj = {a: 7, b: 13, c: 42, d: 0};
+
+Object.defineProperty(obj, "x", {
+    get: function () { return 3; }
+});
+obj.__ob__ = 17;
+
+Object.defineProperty(obj, "c", {value: 8, writable: true});
+assertEq(obj.__ob__, 17);
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -2578,18 +2578,20 @@ js::GetOwnPropertyDescriptor(JSContext* 
             desc.setSetterObject(nullptr);
             desc.attributesRef() |= JSPROP_SETTER;
         }
 
         desc.value().setUndefined();
     } else {
         // This is either a straight-up data property or (rarely) a
         // property with a JSGetterOp/JSSetterOp. The latter must be
-        // reported to the caller as a plain data property, so don't
-        // populate desc.getter/setter, and mask away the SHARED bit.
+        // reported to the caller as a plain data property, so clear
+        // desc.getter/setter, and mask away the SHARED bit.
+        desc.setGetter(nullptr);
+        desc.setSetter(nullptr);
         desc.attributesRef() &= ~JSPROP_SHARED;
 
         if (IsImplicitDenseOrTypedArrayElement(shape)) {
             desc.value().set(nobj->getDenseOrTypedArrayElement(JSID_TO_INT(id)));
         } else {
             if (!NativeGetExistingProperty(cx, nobj, nobj, shape, desc.value()))
                 return false;
         }