Bug 1189744 - Fix crash after GetOwnPropertyDescriptor failed to populate all fields of desc. r=jandem, a=rkothari.
authorJason Orendorff <jorendorff@mozilla.com>
Tue, 04 Aug 2015 18:16:08 -0500
changeset 288728 f4e43d7abccd
parent 288727 96e619dc79f0
child 288729 463fe048a778
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, rkothari
bugs1189744
milestone42.0a2
Bug 1189744 - Fix crash after GetOwnPropertyDescriptor failed to populate all fields of desc. r=jandem, a=rkothari.
js/src/jit-test/tests/basic/bug1189744.js
js/src/jsobj.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1189744.js
@@ -0,0 +1,11 @@
+var obj;
+for (var i = 0; i < 100; i++)
+    obj = {a: 7, b: 13, c: 42, d: 0};
+
+Object.defineProperty(obj, "x", {
+    get: function () { return 3; }
+});
+obj.__ob__ = 17;
+
+Object.defineProperty(obj, "c", {value: 8, writable: true});
+assertEq(obj.__ob__, 17);
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -2583,18 +2583,20 @@ js::GetOwnPropertyDescriptor(JSContext* 
             desc.setSetterObject(nullptr);
             desc.attributesRef() |= JSPROP_SETTER;
         }
 
         desc.value().setUndefined();
     } else {
         // This is either a straight-up data property or (rarely) a
         // property with a JSGetterOp/JSSetterOp. The latter must be
-        // reported to the caller as a plain data property, so don't
-        // populate desc.getter/setter, and mask away the SHARED bit.
+        // reported to the caller as a plain data property, so clear
+        // desc.getter/setter, and mask away the SHARED bit.
+        desc.setGetter(nullptr);
+        desc.setSetter(nullptr);
         desc.attributesRef() &= ~JSPROP_SHARED;
 
         if (IsImplicitDenseOrTypedArrayElement(shape)) {
             desc.value().set(nobj->getDenseOrTypedArrayElement(JSID_TO_INT(id)));
         } else {
             if (!NativeGetExistingProperty(cx, nobj, nobj, shape, desc.value()))
                 return false;
         }