Bug 688685. Propcached property adds that just write to a slot are not sound when the class has an addProperty hook. r=bhackett
authorBoris Zbarsky <bzbarsky@mit.edu>
Fri, 23 Sep 2011 01:03:49 -0400
changeset 78690 4309aaa4b59b4f0d3f4d446d7739f76b10e4780a
parent 78689 27cc641828237146bdc7f92552c5bd10db62636d
child 78691 d9cd2e3f0a9a69798cea56698e97ed2159f19595
push id78
push userclegnitto@mozilla.com
push dateFri, 16 Dec 2011 17:32:24 +0000
treeherdermozilla-release@79d24e644fdd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs688685
milestone9.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 688685. Propcached property adds that just write to a slot are not sound when the class has an addProperty hook. r=bhackett
js/src/jsinterp.cpp
js/src/methodjit/StubCalls.cpp
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -3756,17 +3756,18 @@ BEGIN_CASE(JSOP_SETMETHOD)
                 if (obj->nativeEmpty()) {
                     if (!obj->ensureClassReservedSlotsForEmptyObject(cx))
                         goto error;
                 }
 
                 uint32 slot;
                 if (shape->previous() == obj->lastProperty() &&
                     entry->vshape() == rt->protoHazardShape &&
-                    shape->hasDefaultSetter()) {
+                    shape->hasDefaultSetter() &&
+                    obj->getClass()->addProperty == JS_PropertyStub) {
                     slot = shape->slot;
                     JS_ASSERT(slot == obj->slotSpan());
 
                     /*
                      * Fast path: adding a plain old property that was once at
                      * the frontier of the property tree, whose slot is next to
                      * claim among the already-allocated slots in obj, where
                      * shape->table has not been created yet.
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@@ -202,17 +202,18 @@ stubs::SetName(VMFrame &f, JSAtom *origA
                 if (obj->nativeEmpty()) {
                     if (!obj->ensureClassReservedSlotsForEmptyObject(cx))
                         THROW();
                 }
 
                 uint32 slot;
                 if (shape->previous() == obj->lastProperty() &&
                     entry->vshape() == cx->runtime->protoHazardShape &&
-                    shape->hasDefaultSetter()) {
+                    shape->hasDefaultSetter() &&
+                    obj->getClass()->addProperty == JS_PropertyStub) {
                     slot = shape->slot;
                     JS_ASSERT(slot == obj->slotSpan());
 
                     /*
                      * Fast path: adding a plain old property that was once at
                      * the frontier of the property tree, whose slot is next to
                      * claim among the already-allocated slots in obj, where
                      * shape->table has not been created yet.