Bug 781855 - Fix incorrectly shadowing 'own' properties in the case o…

…f prototypal setters. (r=bhackett, a=akeybl)
mozilla · Aug 28, 2012 · dd91d46 · dd91d46
1 parent c089433
commit dd91d46
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 38 deletions.
diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp
@@ -981,8 +981,14 @@ PropertyAccess(JSContext *cx, JSScript *script_, jsbytecode *pc, TypeObject *obj
         return;
     }
 
-    /* Capture the effects of a standard property access. */
-    TypeSet *types = object->getProperty(cx, id, assign);
+    /*
+     * Capture the effects of a standard property access.  For assignments, we do not
+     * automatically update the 'own' bit on accessed properties, except for indexed
+     * elements in dense arrays.  The latter exception allows for JIT fast paths to avoid
+     * testing the array's type when assigning to dense array elements.
+     */
+    bool markOwn = assign && JSID_IS_VOID(id);
+    TypeSet *types = object->getProperty(cx, id, markOwn);
     if (!types)
         return;
     if (assign) {

diff --git a/js/src/jsinfer.h b/js/src/jsinfer.h
@@ -787,7 +787,7 @@ struct TypeObject : gc::Cell
      * assignment, and the own types of the property will be used instead of
      * aggregate types.
      */
-    inline TypeSet *getProperty(JSContext *cx, jsid id, bool assign);
+    inline TypeSet *getProperty(JSContext *cx, jsid id, bool own);
 
     /* Get a property only if it already exists. */
     inline TypeSet *maybeGetProperty(JSContext *cx, jsid id);

diff --git a/js/src/jsinferinlines.h b/js/src/jsinferinlines.h
@@ -1217,7 +1217,7 @@ TypeObject::setBasePropertyCount(uint32_t count)
 }
 
 inline TypeSet *
-TypeObject::getProperty(JSContext *cx, jsid id, bool assign)
+TypeObject::getProperty(JSContext *cx, jsid id, bool own)
 {
     JS_ASSERT(cx->compartment->activeInference);
     JS_ASSERT(JSID_IS_VOID(id) || JSID_IS_EMPTY(id) || JSID_IS_STRING(id));
@@ -1248,37 +1248,8 @@ TypeObject::getProperty(JSContext *cx, jsid id, bool assign)
     }
 
     TypeSet *types = &(*pprop)->types;
-
-    if (assign && !types->isOwnProperty(false)) {
-        /*
-         * Normally, we just want to set the property as being an own property
-         * when we got a set to it. The exception is when the set is actually
-         * calling a setter higher on the prototype chain. Check to see if there
-         * is a setter higher on the prototype chain, setter the property as an
-         * own property if that is not the case.
-         */
-        bool foundSetter = false;
-
-        JSObject *protoWalk = proto;
-        while (protoWalk) {
-            if (!protoWalk->isNative()) {
-                protoWalk = protoWalk->getProto();
-                continue;
-            }
-
-            Shape *shape = protoWalk->nativeLookup(cx, id);
-
-            foundSetter = shape &&
-                          !shape->hasDefaultSetter();
-            if (foundSetter)
-                break;
-
-            protoWalk = protoWalk->getProto();
-        }
-
-        if (!foundSetter)
-            types->setOwnProperty(cx, false);
-    }
+    if (own)
+        types->setOwnProperty(cx, false);
 
     return types;
 }

diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
@@ -4616,15 +4616,14 @@ JSBool
 js_NativeSet(JSContext *cx, Handle<JSObject*> obj, Handle<JSObject*> receiver,
              Shape *shape, bool added, bool strict, Value *vp)
 {
-    AddTypePropertyId(cx, obj, shape->propid(), *vp);
-
     JS_ASSERT(obj->isNative());
 
     if (shape->hasSlot()) {
         uint32_t slot = shape->slot();
 
         /* If shape has a stub setter, just store *vp. */
         if (shape->hasDefaultSetter()) {
+            AddTypePropertyId(cx, obj, shape->propid(), *vp);
             obj->nativeSetSlot(slot, *vp);
             return true;
         }
@@ -4652,6 +4651,7 @@ js_NativeSet(JSContext *cx, Handle<JSObject*> obj, Handle<JSObject*> receiver,
     if (shapeRoot->hasSlot() &&
         (JS_LIKELY(cx->runtime->propertyRemovals == sample) ||
          obj->nativeContains(cx, shapeRoot))) {
+        AddTypePropertyId(cx, obj, shape->propid(), *vp);
         obj->setSlot(shapeRoot->slot(), *vp);
     }
 

diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp
@@ -273,7 +273,7 @@ class SetPropCompiler : public PICStubCompiler
 
         pic.setPropLabels().setStubShapeJump(masm, start, stubShapeJumpLabel);
 
-        if (pic.typeMonitored) {
+        if (pic.typeMonitored || adding) {
             /*
              * Inference does not know the type of the object being updated,
              * and we need to make sure that the updateMonitoredTypes() call