Bug 945294 - Add a missing is<JSFunction> check to annotateGetPropertyCache. r=bhackett, a=bajaj
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 03 Dec 2013 19:18:10 +0100
changeset 167621 47cb3fdf32f92d672e0a06a41641d9fbd0d4e3bb
parent 167620 5368478c4dde86a6adcbcff8c62423f4ed3aa307
child 167622 9e736f2c0654d65834cd6feee4060602b1d2c0ee
push id428
push userbbajaj@mozilla.com
push dateTue, 28 Jan 2014 00:16:25 +0000
treeherdermozilla-release@cd72a7ff3a75 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett, bajaj
bugs945294
milestone27.0a2
Bug 945294 - Add a missing is<JSFunction> check to annotateGetPropertyCache. r=bhackett, a=bajaj
js/src/jit-test/tests/ion/bug945294.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug945294.js
@@ -0,0 +1,22 @@
+// |jit-test| error:is not a function
+var arr = [];
+
+var C = function () {};
+C.prototype.dump = function () {};
+arr[0] = new C;
+
+C = function () {};
+C.prototype.dump = this;
+arr[1] = new C;
+
+function f() {
+    for (var i = 0; i < arr.length; i++)
+        arr[i].dump();
+}
+
+try {
+    f();
+} catch (exc) {
+    assertEq(exc.message.contains("is not a function"), true);
+}
+f();
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -7919,17 +7919,17 @@ IonBuilder::annotateGetPropertyCache(JSC
 
         types::HeapTypeSetKey ownTypes = typeObj->property(NameToId(name));
         if (ownTypes.notEmpty(constraints()))
             continue;
 
         JSObject *singleton;
         if (!testSingletonProperty(typeObj->proto().toObject(), name, &singleton))
             return false;
-        if (!singleton)
+        if (!singleton || !singleton->is<JSFunction>())
             continue;
 
         // Don't add cases corresponding to non-observed pushes
         if (!pushedTypes->hasType(types::Type::ObjectType(singleton)))
             continue;
 
         if (!inlinePropTable->addEntry(baseTypeObj, &singleton->as<JSFunction>()))
             return false;