71327 - assert in js_LookupProperty doesn't handle obj2 != obj

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[John Bandhauer]

Brendan Eich wrote:
> 
> John Bandhauer wrote:
> 
> > http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#1970
> >
> > It looks to me like the assert...
> >   JS_ASSERT(OBJ_SCOPE(obj) == scope);
> > ....is wrong because it does not allow for the newresolve case
> > where obj2!=obj.
> 
> Oops, right you are.  Could be fixed by setting obj = obj2 iff sym is
> non-null in the newresolve case after looking up id again if MAP_IS_NATIVE.
> 
> > I am intending to use this newresolve feature to reflect
> > properties of 'tearoffs' as if they were properties of my
> > flattened object. I'm supposed to be able to do this, no? It
> > works for me if I comment out the assert.
> 
> I'd #ifdef DEBUG the 'if (sym) obj = obj2;' after the sym re-lookup in
> the newresolve case.
> 
> /be

It looks to me like I need to make the check condition on sym_property(sym) too,
else we risk following the proto chain of obj2 if the newresolve sets obj2 but
does not really define a property as expected on obj2. No?

I'll attach a proposed fix looking for r/sr

Comment 1

[John Bandhauer]

Attachment: proposed fix

Comment 2

[Phil Schwartau]

If there is a testcase for this, let me know and I will add it to the suite - 

Comment 3

[Patrick C. Beard]

Marking 0.8.1.

Comment 4

[John Bandhauer]

brendan checked in the fix for this.

Comment 5

[Phil Schwartau]

Marking Verified - see 

http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&fi
le=jsobj.c&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.82&r
ev2=3.83