Bug 1135718 - Convert unboxed plain objects to natives before changin…

…g their prototype, r=jandem.
rmottola · Aug 14, 2019 · f6c3fe7 · f6c3fe7
1 parent c55378e
commit f6c3fe7
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/js/src/jit-test/tests/basic/bug1135718.js b/js/src/jit-test/tests/basic/bug1135718.js
@@ -0,0 +1,13 @@
+
+setJitCompilerOption("ion.warmup.trigger", 30);
+function ArrayCallback(state)
+  this.state = state;
+ArrayCallback.prototype.isUpperCase = function(v, index, array) {
+    return this.state ? true : (v == v.toUpperCase());
+};
+strings = ['hello', 'Array', 'WORLD'];
+obj = new ArrayCallback(false);
+strings.filter(obj.isUpperCase, obj)
+obj = new ArrayCallback(true);
+strings.filter(obj.isUpperCase, obj)
+obj.__proto__ = {};
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
@@ -3060,6 +3060,11 @@ js::SetPrototype(JSContext *cx, HandleObject obj, HandleObject proto, JS::Object
             return false;
     }
 
+    // Convert unboxed objects to their native representations before changing
+    // their prototype/group, as they depend on the group for their layout.
+    if (obj->is<UnboxedPlainObject>() && !UnboxedPlainObject::convertToNative(cx, obj))
+        return false;
+
     Rooted<TaggedProto> taggedProto(cx, TaggedProto(proto));
     if (!SetClassAndProto(cx, obj, obj->getClass(), taggedProto))
         return false;