Bug 605015: Add slot check in JSObject::methodWriteBarrier, r=dvander
authorDavid Mandelin <dmandelin@mozilla.com>
Fri, 03 Dec 2010 13:51:12 -0800
changeset 58719 a77a648a6f4cc7575659654360cdc6b0f64bd699
parent 58718 cf2a11def62608083f5cbcd0053a22b10855c4ab
child 58720 6e2ef44cf82a6a7ed0b355648fe103eb34a9785a
push id1
push usershaver@mozilla.com
push dateTue, 04 Jan 2011 17:58:04 +0000
reviewersdvander
bugs605015
milestone2.0b8pre
Bug 605015: Add slot check in JSObject::methodWriteBarrier, r=dvander
js/src/jit-test/tests/basic/bug605015.js
js/src/jsobjinlines.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug605015.js
@@ -0,0 +1,9 @@
+// |jit-test| error: TypeError 
+// don't assert
+
+print(this.watch("x",
+function() {
+  Object.defineProperty(this, "x", ({
+    get: (Int8Array)
+  }))
+}))(x = /x/)
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -185,21 +185,23 @@ ChangesMethodValue(const js::Value &prev
     return prev.isObject() && (prevObj = &prev.toObject())->isFunction() &&
            (!v.isObject() || &v.toObject() != prevObj);
 }
 
 inline bool
 JSObject::methodWriteBarrier(JSContext *cx, const js::Shape &shape, const js::Value &v)
 {
     if (flags & (BRANDED | METHOD_BARRIER)) {
-        const js::Value &prev = nativeGetSlot(shape.slot);
+        if (shape.slot != SHAPE_INVALID_SLOT) {
+            const js::Value &prev = nativeGetSlot(shape.slot);
 
-        if (ChangesMethodValue(prev, v)) {
-            JS_FUNCTION_METER(cx, mwritebarrier);
-            return methodShapeChange(cx, shape);
+            if (ChangesMethodValue(prev, v)) {
+                JS_FUNCTION_METER(cx, mwritebarrier);
+                return methodShapeChange(cx, shape);
+            }
         }
     }
     return true;
 }
 
 inline bool
 JSObject::methodWriteBarrier(JSContext *cx, uint32 slot, const js::Value &v)
 {