Bug 1206700 - Fix an bug in property assignment, recently exposed by Reflect.set. r=waldo, a=al
authorJason Orendorff <jorendorff@mozilla.com>
Thu, 01 Oct 2015 09:37:46 -0500
changeset 291287 556adfdf68c3
parent 291286 ad9b70fef588
child 291288 322adf3cdef3
push id934
push userraliiev@mozilla.com
push date2015-10-26 12:58 +0000
treeherdermozilla-release@05704e35c1d0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswaldo, al
bugs1206700
milestone42.0
Bug 1206700 - Fix an bug in property assignment, recently exposed by Reflect.set. r=waldo, a=al SetExistingProperty() contains a fast path for the case when pobj and receiver refer to the same object. Ordinarily, if that much is true, then obj also refers to the same object, but with Reflect.set() it is possible to arrange for receiver == pobj to be true while obj is some other object.
js/src/tests/ecma_6/Object/bug-1206700.js
js/src/vm/NativeObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/tests/ecma_6/Object/bug-1206700.js
@@ -0,0 +1,9 @@
+var x = {};
+Reflect.set(x, "prop", 5, Object.prototype);
+var y = {};
+Reflect.set(y, "prop", 6, Object.prototype);
+assertEq(x.hasOwnProperty("prop"), false);
+assertEq(y.hasOwnProperty("prop"), false);
+assertEq(Object.prototype.prop, 6);
+
+reportCompare(0, 0, "ok");
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -2254,17 +2254,17 @@ SetExistingProperty(JSContext* cx, Handl
             // the lookup in step 5.c again, as our caller just did it for us. The
             // result is |shape|.
 
             // Steps 5.e.i-ii.
             if (pobj->is<ArrayObject>() && id == NameToId(cx->names().length)) {
                 Rooted<ArrayObject*> arr(cx, &pobj->as<ArrayObject>());
                 return ArraySetLength(cx, arr, id, shape->attributes(), v, result);
             }
-            return NativeSetExistingDataProperty(cx, obj, shape, v, receiver, result);
+            return NativeSetExistingDataProperty(cx, pobj, shape, v, receiver, result);
         }
 
         // SpiderMonkey special case: assigning to an inherited slotless
         // property causes the setter to be called, instead of shadowing,
         // unless the existing property is JSPROP_SHADOWABLE (see bug 552432).
         if (!shape->hasSlot() && !shape->hasShadowable()) {
             // Even weirder sub-special-case: inherited slotless data property
             // with default setter. Wut.