Bug 1500255 - Handle objects with null prototype in stub-generator for oob array setelems. r=tcampbell
authorKannan Vijayan <kvijayan@mozilla.com>
Wed, 24 Oct 2018 12:16:32 -0400
changeset 442835 5671f49a7aa58b30a557cb965fe422a285613a2b
parent 442834 14c0adad8a503f183a52ae35466da67c1f72f186
child 442836 79ef182cc44ef9bd252fb8c5b9c9f924690db75b
push id34925
push userrgurzau@mozilla.com
push dateWed, 24 Oct 2018 22:00:55 +0000
treeherdermozilla-central@ddadc29de671 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1500255
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1500255 - Handle objects with null prototype in stub-generator for oob array setelems. r=tcampbell
js/src/jit-test/tests/cacheir/bug1500255.js
js/src/jit/CacheIR.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/cacheir/bug1500255.js
@@ -0,0 +1,10 @@
+
+setJitCompilerOption("offthread-compilation.enable", 0);
+setJitCompilerOption("ion.warmup.trigger", 0);
+
+foo();
+
+function foo() {
+    Array.prototype.__proto__ = null;
+    Array.prototype[1] = 'bar';
+}
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -4088,17 +4088,19 @@ SetPropIRGenerator::tryAttachAddOrUpdate
 
     // Don't attach if we're adding to an array with non-writable length.
     bool isAdd = (index >= aobj->length());
     if (isAdd && !aobj->lengthIsWritable()) {
         return false;
     }
 
     // Indexed properties on the prototype chain aren't handled by the helper.
-    if (ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype())) {
+    if ((aobj->staticPrototype() != nullptr) &&
+        ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype()))
+    {
         return false;
     }
 
     // Ensure we are still talking about an array class.
     writer.guardClass(objId, GuardClassKind::Array);
 
     // The helper we are going to call only applies to non-dense elements.
     writer.guardIndexGreaterThanDenseInitLength(objId, indexId);