Fix crash in ic::Name with weird scope chains (bug 616508, r=dmandelin).
authorDavid Anderson <danderson@mozilla.com>
Fri, 03 Dec 2010 11:46:53 -0800
changeset 58718 cf2a11def62608083f5cbcd0053a22b10855c4ab
parent 58717 3c1d1a61f75d260a492c6e8f243d11b6fc7e7927
child 58719 a77a648a6f4cc7575659654360cdc6b0f64bd699
push id1
push usershaver@mozilla.com
push dateTue, 04 Jan 2011 17:58:04 +0000
reviewersdmandelin
bugs616508
milestone2.0b8pre
Fix crash in ic::Name with weird scope chains (bug 616508, r=dmandelin).
js/src/jit-test/tests/jaeger/bug616508.js
js/src/methodjit/PolyIC.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug616508.js
@@ -0,0 +1,9 @@
+// |jit-test| error: ReferenceError
+// vim: set ts=4 sw=4 tw=99 et:
+try {
+    (function () {
+        __proto__ = Uint32Array()
+    }())
+} catch (e) {}(function () {
+    length, ([eval()] ? x : 7)
+})()
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -1472,27 +1472,26 @@ class ScopeNameCompiler : public PICStub
                     vp->setUndefined();
                     return true;
                 }
             }
             ReportAtomNotDefined(cx, atom);
             return false;
         }
 
-        if (!obj->isNative() || !holder->isNative()) {
-            if (!obj->getProperty(cx, ATOM_TO_JSID(atom), vp))
-                return false;
-        } else {
-            const Shape *shape = getprop.shape;
-            JS_ASSERT(shape);
-            JSObject *normalized = obj;
-            if (obj->getClass() == &js_WithClass && !shape->hasDefaultGetter())
-                normalized = js_UnwrapWithObject(cx, obj);
-            NATIVE_GET(cx, normalized, holder, shape, JSGET_METHOD_BARRIER, vp, return false);
-        }
+        // If the property was found, but we decided not to cache it, then
+        // take a slow path and do a full property fetch.
+        if (!getprop.shape)
+            return obj->getProperty(cx, ATOM_TO_JSID(atom), vp);
+
+        const Shape *shape = getprop.shape;
+        JSObject *normalized = obj;
+        if (obj->getClass() == &js_WithClass && !shape->hasDefaultGetter())
+            normalized = js_UnwrapWithObject(cx, obj);
+        NATIVE_GET(cx, normalized, holder, shape, JSGET_METHOD_BARRIER, vp, return false);
 
         return true;
     }
 };
 
 class BindNameCompiler : public PICStubCompiler
 {
     JSObject *scopeChain;