Bug 1206700 - Fix an bug in property assignment, recently exposed by Reflect.set. r=waldo

SetExistingProperty() contains a fast path for the case when pobj and
receiver refer to the same object. Ordinarily, if that much is true,
then obj also refers to the same object, but with Reflect.set() it is
possible to arrange for receiver == pobj to be true while obj is some
other object.
This commit is contained in:
Jason Orendorff 2015-10-01 09:37:46 -05:00
parent 9fe43dfb43
commit c006ac8bbd
2 changed files with 10 additions and 1 deletions

View File

@ -0,0 +1,9 @@
var x = {};
Reflect.set(x, "prop", 5, Object.prototype);
var y = {};
Reflect.set(y, "prop", 6, Object.prototype);
assertEq(x.hasOwnProperty("prop"), false);
assertEq(y.hasOwnProperty("prop"), false);
assertEq(Object.prototype.prop, 6);
reportCompare(0, 0, "ok");

View File

@ -2244,7 +2244,7 @@ SetExistingProperty(JSContext* cx, HandleNativeObject obj, HandleId id, HandleVa
Rooted<ArrayObject*> arr(cx, &pobj->as<ArrayObject>());
return ArraySetLength(cx, arr, id, shape->attributes(), v, result);
}
return NativeSetExistingDataProperty(cx, obj, shape, v, receiver, result);
return NativeSetExistingDataProperty(cx, pobj, shape, v, receiver, result);
}
// SpiderMonkey special case: assigning to an inherited slotless