From f28d0a650aaeed47f7a2a6055c9193d5bb24def3 Mon Sep 17 00:00:00 2001
From: "brendan%mozilla.org"
 <brendan%mozilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Sun, 27 Apr 2008 20:31:24 +0000
Subject: [PATCH] Don't cache shared properties under JSOP_SET{NAME,PROP}
 (428282, r=igor, a=mconnor).

git-svn-id: svn://10.0.0.236/trunk@250847 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/js/src/jsinterp.c |  1 +
 mozilla/js/src/jsobj.c    | 35 +++++++++++++++++++----------------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/mozilla/js/src/jsinterp.c b/mozilla/js/src/jsinterp.c
index 7c0a4472508..c36b6a19eba 100644
--- a/mozilla/js/src/jsinterp.c
+++ b/mozilla/js/src/jsinterp.c
@@ -4350,6 +4350,7 @@ interrupt:
                             JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
                             sprop = PCVAL_TO_SPROP(entry->vword);
                             JS_ASSERT(!(sprop->attrs & JSPROP_READONLY));
+                            JS_ASSERT(!(sprop->attrs & JSPROP_SHARED));
                             JS_ASSERT(!SCOPE_IS_SEALED(OBJ_SCOPE(obj)));
 
                             if (scope->object == obj) {
diff --git a/mozilla/js/src/jsobj.c b/mozilla/js/src/jsobj.c
index 5b1a7e8dcf0..f3baff9211f 100644
--- a/mozilla/js/src/jsobj.c
+++ b/mozilla/js/src/jsobj.c
@@ -3484,11 +3484,6 @@ js_FindIdentifierBase(JSContext *cx, jsid id, JSPropCacheEntry *entry)
         return NULL;
     if (prop) {
         OBJ_DROP_PROPERTY(cx, pobj, prop);
-
-        JS_ASSERT_IF(entry,
-                     entry->kpc == ((PCVCAP_TAG(entry->vcap) > 1)
-                                    ? (jsbytecode *) JSID_TO_ATOM(id)
-                                    : cx->fp->regs->pc));
         return obj;
     }
 
@@ -3809,21 +3804,25 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, jsval *vp,
                 SCOPE_MAKE_UNIQUE_SHAPE(cx, scope);
             JS_UNLOCK_SCOPE(cx, scope);
 
-            /* Don't clone a shared prototype property. */
+            /*
+             * Don't clone a shared prototype property. Don't fill it in the
+             * property cache either, since the JSOP_SETPROP/JSOP_SETNAME code
+             * in js_Interpret does not handle shared or prototype properties.
+             * Shared prototype properties require more hit qualification than
+             * the fast-path code for those ops, which is targeted on direct,
+             * slot-based properties.
+             */
             if (attrs & JSPROP_SHARED) {
+                if (entryp) {
+                    PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
+                    *entryp = NULL;
+                }
+
                 if (SPROP_HAS_STUB_SETTER(sprop) &&
                     !(sprop->attrs & JSPROP_GETTER)) {
-                    if (entryp) {
-                        PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
-                        *entryp = NULL;
-                    }
                     return JS_TRUE;
                 }
 
-                if (entryp) {
-                    js_FillPropertyCache(cx, obj, type, 0, protoIndex,
-                                         pobj, sprop, entryp);
-                }
                 return SPROP_SET(cx, sprop, obj, pobj, vp);
             }
 
@@ -3902,8 +3901,12 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, jsval *vp,
     if (!js_NativeSet(cx, obj, sprop, vp))
         return JS_FALSE;
 
-    if (entryp)
-        js_FillPropertyCache(cx, obj, type, 0, 0, obj, sprop, entryp);
+    if (entryp) {
+        if (!(attrs & JSPROP_SHARED))
+            js_FillPropertyCache(cx, obj, type, 0, 0, obj, sprop, entryp);
+        else
+            PCMETER(JS_PROPERTY_CACHE(cx).nofills++);
+    }
     JS_UNLOCK_SCOPE(cx, scope);
     return JS_TRUE;