Bug 1500255 - Handle objects with null prototype in stub-generator for oob array setelems. r=tcampbell
authorKannan Vijayan <kvijayan@mozilla.com>
Wed, 24 Oct 2018 12:16:32 -0400
changeset 442773 5671f49a7aa58b30a557cb965fe422a285613a2b
parent 442772 14c0adad8a503f183a52ae35466da67c1f72f186
child 442774 79ef182cc44ef9bd252fb8c5b9c9f924690db75b
push id109234
push userkvijayan@mozilla.com
push dateWed, 24 Oct 2018 16:16:40 +0000
treeherdermozilla-inbound@5671f49a7aa5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1500255
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1500255 - Handle objects with null prototype in stub-generator for oob array setelems. r=tcampbell
js/src/jit-test/tests/cacheir/bug1500255.js
js/src/jit/CacheIR.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/cacheir/bug1500255.js
@@ -0,0 +1,10 @@
+
+setJitCompilerOption("offthread-compilation.enable", 0);
+setJitCompilerOption("ion.warmup.trigger", 0);
+
+foo();
+
+function foo() {
+    Array.prototype.__proto__ = null;
+    Array.prototype[1] = 'bar';
+}
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -4088,17 +4088,19 @@ SetPropIRGenerator::tryAttachAddOrUpdate
 
     // Don't attach if we're adding to an array with non-writable length.
     bool isAdd = (index >= aobj->length());
     if (isAdd && !aobj->lengthIsWritable()) {
         return false;
     }
 
     // Indexed properties on the prototype chain aren't handled by the helper.
-    if (ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype())) {
+    if ((aobj->staticPrototype() != nullptr) &&
+        ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype()))
+    {
         return false;
     }
 
     // Ensure we are still talking about an array class.
     writer.guardClass(objId, GuardClassKind::Array);
 
     // The helper we are going to call only applies to non-dense elements.
     writer.guardIndexGreaterThanDenseInitLength(objId, indexId);