[INFER] Scan entire prototype chain for a lookupProperty hook when nop-ing accesses on singleton objects, bug 673788.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 25 Jul 2011 15:00:42 -0700
changeset 77384 60cb5a22dc10d5e6be28e70770cbcda8b42edbc0
parent 77383 681d2903edb79aa46050872ee0962aa6527c178e
child 77385 4c2a1bf1b1ca65a21cafa138d1dce23ddb40af03
push id78
push userclegnitto@mozilla.com
push dateFri, 16 Dec 2011 17:32:24 +0000
treeherdermozilla-release@79d24e644fdd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs673788
milestone8.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
[INFER] Scan entire prototype chain for a lookupProperty hook when nop-ing accesses on singleton objects, bug 673788.
js/src/jit-test/tests/jaeger/bug673788.js
js/src/methodjit/Compiler.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug673788.js
@@ -0,0 +1,10 @@
+// |jit-test| error: ReferenceError
+p = Proxy.create({
+  has: function() {}
+})
+Object.prototype.__proto__ = p
+n = [];
+(function() {
+  var a = [];
+  if (b) t = a.s()
+})()
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -4617,20 +4617,24 @@ mjit::Compiler::testSingletonProperty(JS
      *
      * If the access definitely goes through obj, either directly or on the
      * prototype chain, then if obj has a defined property now, and the
      * property has a default or method shape, the only way it can produce
      * undefined in the future is if it is deleted. Deletion causes type
      * properties to be explicitly marked with undefined.
      */
 
-    if (!obj->isNative())
-        return false;
-    if (obj->getClass()->ops.lookupProperty)
-        return false;
+    JSObject *nobj = obj;
+    while (nobj) {
+        if (!nobj->isNative())
+            return false;
+        if (nobj->getClass()->ops.lookupProperty)
+            return false;
+        nobj = nobj->getProto();
+    }
 
     JSObject *holder;
     JSProperty *prop = NULL;
     if (!obj->lookupProperty(cx, id, &holder, &prop))
         return false;
     if (!prop)
         return false;