Bug 945294 - Add a missing is<JSFunction> check to annotateGetPropertyCache. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 03 Dec 2013 19:18:10 +0100
changeset 174267 a9aaef3ab91f2f0abbcfb775e5553045b0808cc6
parent 174266 361907c4a2ce95f67a6f618ecf7cf10a57cbc653
child 174268 bac9d5883f366bde9b6d8c1a8728fc9df93e3258
push id445
push userffxbld
push dateMon, 10 Mar 2014 22:05:19 +0000
treeherdermozilla-release@dc38b741b04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs945294
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 945294 - Add a missing is<JSFunction> check to annotateGetPropertyCache. r=bhackett
js/src/jit-test/tests/ion/bug945294.js
js/src/jit/IonBuilder.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug945294.js
@@ -0,0 +1,22 @@
+// |jit-test| error:is not a function
+var arr = [];
+
+var C = function () {};
+C.prototype.dump = function () {};
+arr[0] = new C;
+
+C = function () {};
+C.prototype.dump = this;
+arr[1] = new C;
+
+function f() {
+    for (var i = 0; i < arr.length; i++)
+        arr[i].dump();
+}
+
+try {
+    f();
+} catch (exc) {
+    assertEq(exc.message.contains("is not a function"), true);
+}
+f();
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -7998,17 +7998,17 @@ IonBuilder::annotateGetPropertyCache(MDe
         if (typeObj->unknownProperties() || !typeObj->proto().isObject())
             continue;
 
         types::HeapTypeSetKey ownTypes = typeObj->property(NameToId(name));
         if (ownTypes.isOwnProperty(constraints()))
             continue;
 
         JSObject *singleton = testSingletonProperty(typeObj->proto().toObject(), name);
-        if (!singleton)
+        if (!singleton || !singleton->is<JSFunction>())
             continue;
 
         // Don't add cases corresponding to non-observed pushes
         if (!pushedTypes->hasType(types::Type::ObjectType(singleton)))
             continue;
 
         if (!inlinePropTable->addEntry(alloc(), baseTypeObj, &singleton->as<JSFunction>()))
             return false;