Bug 957004 - Guard against object being lazily typed in IsPackedArray self-hosting intrinsic. r=jandem, a=lsblakk
authorTill Schneidereit <till@tillschneidereit.net>
Fri, 28 Feb 2014 23:48:07 +1300
changeset 176420 da5745cc5980c8f8ecc2eeedf318c383cfb4d2de
parent 176419 689b8b011263c9d9864c5ebdff3594c152cdc2a6
child 176421 fbad897c38bf0f09890ad617543b424605c8f2a8
push id445
push userffxbld
push dateMon, 10 Mar 2014 22:05:19 +0000
treeherdermozilla-release@dc38b741b04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, lsblakk
bugs957004
milestone28.0
Bug 957004 - Guard against object being lazily typed in IsPackedArray self-hosting intrinsic. r=jandem, a=lsblakk
js/src/jit-test/tests/self-hosting/bug957004.js
js/src/vm/SelfHosting.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/self-hosting/bug957004.js
@@ -0,0 +1,3 @@
+// No result, just mustn't crash.
+Array.prototype.push(0);
+Array.prototype.indexOf();
--- a/js/src/vm/SelfHosting.cpp
+++ b/js/src/vm/SelfHosting.cpp
@@ -469,17 +469,17 @@ js::intrinsic_HaveSameClass(JSContext *c
 bool
 js::intrinsic_IsPackedArray(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     JS_ASSERT(args.length() == 1);
     JS_ASSERT(args[0].isObject());
 
     JSObject *obj = &args[0].toObject();
-    bool isPacked = obj->is<ArrayObject>() &&
+    bool isPacked = obj->is<ArrayObject>() && !obj->hasLazyType() &&
                     !obj->type()->hasAllFlags(types::OBJECT_FLAG_NON_PACKED) &&
                     obj->getDenseInitializedLength() == obj->as<ArrayObject>().length();
 
     args.rval().setBoolean(isPacked);
     return true;
 }
 
 static bool