Bug 1500255 - Handle objects with null prototype in stub-generator for oob array setelems. r=tcampbell
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/cacheir/bug1500255.js
@@ -0,0 +1,10 @@
+
+setJitCompilerOption("offthread-compilation.enable", 0);
+setJitCompilerOption("ion.warmup.trigger", 0);
+
+foo();
+
+function foo() {
+ Array.prototype.__proto__ = null;
+ Array.prototype[1] = 'bar';
+}
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -4088,17 +4088,19 @@ SetPropIRGenerator::tryAttachAddOrUpdate
// Don't attach if we're adding to an array with non-writable length.
bool isAdd = (index >= aobj->length());
if (isAdd && !aobj->lengthIsWritable()) {
return false;
}
// Indexed properties on the prototype chain aren't handled by the helper.
- if (ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype())) {
+ if ((aobj->staticPrototype() != nullptr) &&
+ ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype()))
+ {
return false;
}
// Ensure we are still talking about an array class.
writer.guardClass(objId, GuardClassKind::Array);
// The helper we are going to call only applies to non-dense elements.
writer.guardIndexGreaterThanDenseInitLength(objId, indexId);