Bug 973566, part 1 - Fix "Assertion failure: offsetsv.isUndefined()" with elements on Object.prototype. r=jimb.
authorJason Orendorff <jorendorff@mozilla.com>
Wed, 26 Feb 2014 08:55:35 -0600
changeset 171032 5d7c2275e34668e5f23ebec57517fdfeef6e1319
parent 171031 aacc99e7c1e5cf869249d77ce41e64ce14068f11
child 171033 b130f02b5151dda4b7046c4028ad4f849499f129
push id270
push userpvanderbeken@mozilla.com
push dateThu, 06 Mar 2014 09:24:21 +0000
reviewersjimb
bugs973566
milestone30.0a1
Bug 973566, part 1 - Fix "Assertion failure: offsetsv.isUndefined()" with elements on Object.prototype. r=jimb.
js/src/jit-test/tests/debug/bug973566.js
js/src/jsobj.cpp
js/src/jsobj.h
js/src/vm/Debugger.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug973566.js
@@ -0,0 +1,7 @@
+Object.prototype[1] = 'peek';
+var g = newGlobal();
+var dbg = Debugger(g);
+dbg.onEnterFrame = function (frame) {
+    var lines = frame.script.getAllOffsets();
+};
+g.eval("1;");
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -4270,16 +4270,28 @@ js::HasOwnProperty<CanGC>(JSContext *cx,
                           HandleObject obj, HandleId id,
                           MutableHandleObject objp, MutableHandleShape propp);
 
 template bool
 js::HasOwnProperty<NoGC>(JSContext *cx, LookupGenericOp lookup,
                          JSObject *obj, jsid id,
                          FakeMutableHandle<JSObject*> objp, FakeMutableHandle<Shape*> propp);
 
+bool
+js::HasOwnProperty(JSContext *cx, HandleObject obj, HandleId id, bool *resultp)
+{
+    RootedObject pobj(cx);
+    RootedShape shape(cx);
+    if (!HasOwnProperty<CanGC>(cx, obj->getOps()->lookupGeneric, obj, id, &pobj, &shape))
+        return false;
+    *resultp = (shape != nullptr);
+    return true;
+}
+
+
 template <AllowGC allowGC>
 static MOZ_ALWAYS_INLINE bool
 NativeGetInline(JSContext *cx,
                 typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                 typename MaybeRooted<JSObject*, allowGC>::HandleType receiver,
                 typename MaybeRooted<JSObject*, allowGC>::HandleType pobj,
                 typename MaybeRooted<Shape*, allowGC>::HandleType shape,
                 typename MaybeRooted<Value, allowGC>::MutableHandleType vp)
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@@ -1281,16 +1281,19 @@ DenseRangeRef::mark(JSTracer *trc)
     js::gc::IsObjectMarked(&owner);
     uint32_t initLen = owner->getDenseInitializedLength();
     uint32_t clampedStart = Min(start, initLen);
     gc::MarkArraySlots(trc, Min(end, initLen) - clampedStart,
                        owner->getDenseElements() + clampedStart, "element");
 }
 #endif
 
+bool
+HasOwnProperty(JSContext *cx, HandleObject obj, HandleId id, bool *resultp);
+
 template <AllowGC allowGC>
 extern bool
 HasOwnProperty(JSContext *cx, LookupGenericOp lookup,
                typename MaybeRooted<JSObject*, allowGC>::HandleType obj,
                typename MaybeRooted<jsid, allowGC>::HandleType id,
                typename MaybeRooted<JSObject*, allowGC>::MutableHandleType objp,
                typename MaybeRooted<Shape*, allowGC>::MutableHandleType propp);
 
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -3365,17 +3365,17 @@ DebuggerScript_getAllOffsets(JSContext *
         if (!flowData[offset].hasNoEdges() && flowData[offset].lineno() != lineno) {
             /* Get the offsets array for this line. */
             RootedObject offsets(cx);
             RootedValue offsetsv(cx);
 
             RootedId id(cx, INT_TO_JSID(lineno));
 
             bool found;
-            if (!JSObject::hasProperty(cx, result, id, &found))
+            if (!js::HasOwnProperty(cx, result, id, &found))
                 return false;
             if (found && !JSObject::getGeneric(cx, result, result, id, &offsetsv))
                 return false;
 
             if (offsetsv.isObject()) {
                 offsets = &offsetsv.toObject();
             } else {
                 JS_ASSERT(offsetsv.isUndefined());