From c006ac8bbd564e98e408f0de29e63980e4cccc92 Mon Sep 17 00:00:00 2001 From: Jason Orendorff Date: Thu, 1 Oct 2015 09:37:46 -0500 Subject: [PATCH] Bug 1206700 - Fix an bug in property assignment, recently exposed by Reflect.set. r=waldo SetExistingProperty() contains a fast path for the case when pobj and receiver refer to the same object. Ordinarily, if that much is true, then obj also refers to the same object, but with Reflect.set() it is possible to arrange for receiver == pobj to be true while obj is some other object. --- js/src/tests/ecma_6/Object/bug-1206700.js | 9 +++++++++ js/src/vm/NativeObject.cpp | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 js/src/tests/ecma_6/Object/bug-1206700.js diff --git a/js/src/tests/ecma_6/Object/bug-1206700.js b/js/src/tests/ecma_6/Object/bug-1206700.js new file mode 100644 index 000000000000..d7a3fb93a07b --- /dev/null +++ b/js/src/tests/ecma_6/Object/bug-1206700.js @@ -0,0 +1,9 @@ +var x = {}; +Reflect.set(x, "prop", 5, Object.prototype); +var y = {}; +Reflect.set(y, "prop", 6, Object.prototype); +assertEq(x.hasOwnProperty("prop"), false); +assertEq(y.hasOwnProperty("prop"), false); +assertEq(Object.prototype.prop, 6); + +reportCompare(0, 0, "ok"); diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp index df02d2c984b8..c5fac11645ea 100644 --- a/js/src/vm/NativeObject.cpp +++ b/js/src/vm/NativeObject.cpp @@ -2244,7 +2244,7 @@ SetExistingProperty(JSContext* cx, HandleNativeObject obj, HandleId id, HandleVa Rooted arr(cx, &pobj->as()); return ArraySetLength(cx, arr, id, shape->attributes(), v, result); } - return NativeSetExistingDataProperty(cx, obj, shape, v, receiver, result); + return NativeSetExistingDataProperty(cx, pobj, shape, v, receiver, result); } // SpiderMonkey special case: assigning to an inherited slotless