Don't recycle class-reserved slots onto a dictionary table's freelist (595230, r=jorendorff).

2024-11-05 16:46:26 +00:00 · 2010-09-14 17:08:16 -07:00 · 2010-09-14 17:08:16 -07:00 · c2d459282e
commit c2d459282e
parent 23773215ec
4 changed files with 33 additions and 4 deletions
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -3920,11 +3920,11 @@ JSObject::freeSlot(JSContext *cx, uint32 slot)

        /*
         * Freeing a slot other than the last one mapped by this object's
-         * shape: push the slot onto the dictionary table's freelist. We want
-         * to let the last slot be freed by shrinking the dslots vector; see
-         * js_TraceObject.
+         * shape (and not a reserved slot; see bug 595230): push the slot onto
+         * the dictionary property table's freelist. We want to let the last
+         * slot be freed by shrinking the dslots vector; see js_TraceObject.
         */
-        if (slot + 1 < limit) {
+        if (JSSLOT_FREE(clasp) <= slot && slot + 1 < limit) {
            JS_ASSERT_IF(last != SHAPE_INVALID_SLOT, last < slotSpan());
            vref.setPrivateUint32(last);
            last = slot;
--- a/js/src/tests/js1_8_5/regress/jstests.list
+++ b/js/src/tests/js1_8_5/regress/jstests.list
@ -32,6 +32,8 @@ script regress-588339.js
 script regress-yarr-regexp.js
 script regress-592556-c35.js
 script regress-593256.js
+fails-if(!xulRuntime.shell) script regress-595230-1.js
+fails-if(!xulRuntime.shell) script regress-595230-2.js
 script regress-595365-1.js
 fails-if(!xulRuntime.shell) script regress-595365-2.js
 script regress-569464.js
--- a/js/src/tests/js1_8_5/regress/regress-595230-1.js
+++ b/js/src/tests/js1_8_5/regress/regress-595230-1.js
@ -0,0 +1,18 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/licenses/publicdomain/
+// Contributors: Gary Kwong <gary@rumblingedge.com>, Brendan Eich <brendan@mozilla.com>
+
+var box = evalcx('lazy');
+
+var src =
+    'try {\n' +
+    '    __proto__ = Proxy.createFunction((function() {}), function() {})\n' +
+    '    var x\n' +
+    '    *\n' +
+    '} catch(e) {}\n' +
+    'default xml namespace = x\n' +
+    'for (let b in [0, 0]) <x/>\n';
+
+evalcx(src, box);
+
+this.reportCompare(0, 0, "ok");
--- a/js/src/tests/js1_8_5/regress/regress-595230-2.js
+++ b/js/src/tests/js1_8_5/regress/regress-595230-2.js
@ -0,0 +1,9 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/licenses/publicdomain/
+// Contributors: Jason Orendorff <jorendorff@mozilla.com>
+
+var s = evalcx("");
+delete s.Object;
+evalcx("var x;", s);
+
+this.reportCompare(0, 0, "ok");