Bug 1423173 - Check for shadowing indexed properties when adding elements. r=jandem
authorKannan Vijayan <kvijayan@mozilla.com>
Thu, 04 Jan 2018 14:36:07 -0500
changeset 449668 6a92a108abeb49eb72d5a876ff9d4b2e79a220e4
parent 449667 8526a7b083c32a1dc68d755e99a7b8964ff85cae
child 449669 58f33e7fefba4442855c2176eeb727e2928da576
push id8527
push userCallek@gmail.com
push dateThu, 11 Jan 2018 21:05:50 +0000
treeherdermozilla-beta@95342d212a7a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1423173
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1423173 - Check for shadowing indexed properties when adding elements. r=jandem
js/src/jit-test/tests/arrays/bug1423173.js
js/src/jit/CacheIR.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/arrays/bug1423173.js
@@ -0,0 +1,13 @@
+// |jit-test| --baseline-eager
+Array.prototype.push(1);
+Object.freeze([].__proto__);
+var x = [];
+var c = 0;
+for (var j = 0; j < 5; ++j) {
+    try {
+        x.push(function() {});
+    } catch (e) {
+        c++;
+    }
+}
+assertEq(c, j);
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -3401,16 +3401,19 @@ CanAttachAddElement(JSObject* obj, bool 
 
         JSObject* proto = obj->staticPrototype();
         if (!proto)
             break;
 
         if (!proto->isNative())
             return false;
 
+        if (proto->as<NativeObject>().denseElementsAreFrozen())
+            return false;
+
         obj = proto;
     } while (true);
 
     return true;
 }
 
 static void
 ShapeGuardProtoChain(CacheIRWriter& writer, JSObject* obj, ObjOperandId objId)