Fix bug 454266 - js_FillPropertyCache uses the wrong scope's shape sometimes (r=mrbkap).

2025-01-10 05:47:04 +00:00 · 2008-09-08 15:51:47 -07:00 · 2008-09-08 15:51:47 -07:00 · 5b1591656c
commit 5b1591656c
parent ee3d4c3946
2 changed files with 2 additions and 2 deletions
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@ -258,7 +258,7 @@ js_FillPropertyCache(JSContext *cx, JSObject *obj, jsuword kshape,
     * but that is a one-time event and we'll have to miss the old shape and
     * re-fill under the new one.
     */
-    if (!(cs->format & (JOF_SET | JOF_INCDEC)))
+    if (!(cs->format & (JOF_SET | JOF_INCDEC)) && obj == pobj)
        kshape = scope->shape;

    khash = PROPERTY_CACHE_HASH_PC(pc, kshape);
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@ -3458,7 +3458,7 @@ TraceRecorder::test_property_cache_direct_slot(JSObject* obj, LIns* obj_ins, uin
        return true;
    }

-    /* Insist if setting on obj being the directly addressed object. */
+    /* If modifying the slot, insist on obj being the directly addressed object. */
    uint32 setflags = (js_CodeSpec[*cx->fp->regs->pc].format & (JOF_SET | JOF_INCDEC));
    if (setflags && obj2 != obj)
        ABORT_TRACE("JOF_SET opcode hit prototype chain");