Bug 1372956 - Fix unshift fast path to check for frozen elements. r=anba
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 27 Jun 2017 09:30:34 -0700
changeset 414971 3d4ec37aba612841efb08778528a62b11696bd95
parent 414970 5d4146242f7a28055ce9757297087620432bb48b
child 414972 140285b81cd388178e539dc67bd3820689949073
push id7566
push usermtabara@mozilla.com
push dateWed, 02 Aug 2017 08:25:16 +0000
treeherdermozilla-beta@86913f512c3c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba
bugs1372956
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1372956 - Fix unshift fast path to check for frozen elements. r=anba
js/src/jit-test/tests/basic/bug1372956.js
js/src/jsarray.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1372956.js
@@ -0,0 +1,5 @@
+// |jit-test| error: TypeError
+x = {};
+Array.prototype.push.call(x, 0);
+Object.freeze(x);
+Array.prototype.unshift.call(x, 0);
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2497,16 +2497,18 @@ js::array_unshift(JSContext* cx, unsigne
                 break;
             if (!obj->isNative())
                 break;
             if (ObjectMayHaveExtraIndexedProperties(obj))
                 break;
             if (MaybeInIteration(obj, cx))
                 break;
             NativeObject* nobj = &obj->as<NativeObject>();
+            if (nobj->denseElementsAreFrozen())
+                break;
             if (nobj->is<ArrayObject>() && !nobj->as<ArrayObject>().lengthIsWritable())
                 break;
             if (!nobj->tryUnshiftDenseElements(args.length())) {
                 DenseElementResult result = nobj->ensureDenseElements(cx, uint32_t(length), args.length());
                 if (result != DenseElementResult::Success) {
                     if (result == DenseElementResult::Failure)
                         return false;
                     MOZ_ASSERT(result == DenseElementResult::Incomplete);