author | Kannan Vijayan <kvijayan@mozilla.com> |
Wed, 24 Oct 2018 12:16:32 -0400 | |
changeset 442835 | 5671f49a7aa58b30a557cb965fe422a285613a2b |
parent 442834 | 14c0adad8a503f183a52ae35466da67c1f72f186 |
child 442836 | 79ef182cc44ef9bd252fb8c5b9c9f924690db75b |
push id | 34925 |
push user | rgurzau@mozilla.com |
push date | Wed, 24 Oct 2018 22:00:55 +0000 |
treeherder | mozilla-central@ddadc29de671 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | tcampbell |
bugs | 1500255 |
milestone | 65.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
js/src/jit-test/tests/cacheir/bug1500255.js | file | annotate | diff | comparison | revisions | |
js/src/jit/CacheIR.cpp | file | annotate | diff | comparison | revisions |
new file mode 100644 --- /dev/null +++ b/js/src/jit-test/tests/cacheir/bug1500255.js @@ -0,0 +1,10 @@ + +setJitCompilerOption("offthread-compilation.enable", 0); +setJitCompilerOption("ion.warmup.trigger", 0); + +foo(); + +function foo() { + Array.prototype.__proto__ = null; + Array.prototype[1] = 'bar'; +}
--- a/js/src/jit/CacheIR.cpp +++ b/js/src/jit/CacheIR.cpp @@ -4088,17 +4088,19 @@ SetPropIRGenerator::tryAttachAddOrUpdate // Don't attach if we're adding to an array with non-writable length. bool isAdd = (index >= aobj->length()); if (isAdd && !aobj->lengthIsWritable()) { return false; } // Indexed properties on the prototype chain aren't handled by the helper. - if (ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype())) { + if ((aobj->staticPrototype() != nullptr) && + ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype())) + { return false; } // Ensure we are still talking about an array class. writer.guardClass(objId, GuardClassKind::Array); // The helper we are going to call only applies to non-dense elements. writer.guardIndexGreaterThanDenseInitLength(objId, indexId);