Bug 496054 - TM: Null deref [@ JITted code] involving __proto__ munging and array-like access. r=brendan

2024-10-14 13:55:43 +00:00 · 2009-06-03 16:34:37 -07:00 · 2009-06-03 16:34:37 -07:00 · 73693dae7d
commit 73693dae7d
parent 0907e50793
2 changed files with 28 additions and 1 deletions
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -299,7 +299,7 @@ js_SetProtoOrParent(JSContext *cx, JSObject *obj, uint32 slot, JSObject *pobj,
         * old prototype chain to invalidate their property cache entries, in
         * case any entries were filled by looking up starting from obj.
         */
-        JSObject *oldproto = STOBJ_GET_PROTO(obj);
+        JSObject *oldproto = obj;
        while (oldproto && OBJ_IS_NATIVE(oldproto)) {
            JS_LOCK_OBJ(cx, oldproto);
            JSScope *scope = OBJ_SCOPE(oldproto);
--- a/js/src/trace-test.js
+++ b/js/src/trace-test.js
@ -5263,6 +5263,33 @@ function testUndemoteLateGlobalSlots() {
 testUndemoteLateGlobalSlots.expected = "ok";
 test(testUndemoteLateGlobalSlots);

+function testSetProtoRegeneratesObjectShape()
+{
+  var f = function() {};
+  var g = function() {};
+  g.prototype.__proto__ = {};
+
+  function iq(obj)
+  {
+    for (var i = 0; i < 10; ++i)
+      "" + obj.prototype;
+  }
+
+  iq(f);
+  iq(f);
+  iq(f);
+  iq(f);
+  iq(g);
+
+  if (shapeOf(f.prototype) === shapeOf(g.prototype))
+    return "object shapes same after proto of one is changed";
+
+  return true;
+}
+testSetProtoRegeneratesObjectShape.expected = true;
+test(testSetProtoRegeneratesObjectShape);
+
+
 /*****************************************************************************
 *                                                                           *
 *  _____ _   _  _____ ______ _____ _______                                  *