Bug 1385838 - Check for Symbol.iterator in ArgumentsObject::obj_mayResolve instead of returning true for all symbols. r=anba
authorJan de Mooij <jdemooij@mozilla.com>
Mon, 31 Jul 2017 18:22:45 +0200
changeset 423192 1221530577aa51b65999ea225fdd1cab8f70567c
parent 423191 76abbe45dd0acd498a19fcfdef47c001c5d147e1
child 423193 3a434c64cc3b9548ae5a4ba8a526c16594061940
push id1517
push userjlorenzo@mozilla.com
push dateThu, 14 Sep 2017 16:50:54 +0000
treeherdermozilla-release@3b41fd564418 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba
bugs1385838
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1385838 - Check for Symbol.iterator in ArgumentsObject::obj_mayResolve instead of returning true for all symbols. r=anba
js/src/vm/ArgumentsObject.cpp
--- a/js/src/vm/ArgumentsObject.cpp
+++ b/js/src/vm/ArgumentsObject.cpp
@@ -429,26 +429,27 @@ ArgumentsObject::obj_delProperty(JSConte
         argsobj.markIteratorOverridden();
     }
     return result.succeed();
 }
 
 /* static */ bool
 ArgumentsObject::obj_mayResolve(const JSAtomState& names, jsid id, JSObject*)
 {
-    // Arguments might resolve indexes or Symbol.iterator.
-    if (!JSID_IS_ATOM(id))
-        return true;
-
-    JSAtom* atom = JSID_TO_ATOM(id);
-    uint32_t index;
-    if (atom->isIndex(&index))
-        return true;
-
-    return atom == names.length || atom == names.callee;
+    // Arguments might resolve indexes, Symbol.iterator, or length/callee.
+    if (JSID_IS_ATOM(id)) {
+        JSAtom* atom = JSID_TO_ATOM(id);
+        uint32_t index;
+        if (atom->isIndex(&index))
+            return true;
+        return atom == names.length || atom == names.callee;
+    }
+    if (JSID_IS_SYMBOL(id))
+        return JSID_TO_SYMBOL(id)->code() == JS::SymbolCode::iterator;
+    return true;
 }
 
 static bool
 MappedArgGetter(JSContext* cx, HandleObject obj, HandleId id, MutableHandleValue vp)
 {
     MappedArgumentsObject& argsobj = obj->as<MappedArgumentsObject>();
     if (JSID_IS_INT(id)) {
         /*