Bug 957004 - Guard against object being lazily typed in IsPackedArray self-hosting intrinsic. r=jandem
authorTill Schneidereit <till@tillschneidereit.net>
Fri, 28 Feb 2014 23:48:07 +1300
changeset 171493 3f90a1832ac4f12e9acb3c4e501c875f96739467
parent 171492 a35f5f30cd5391c9c09c57ba57173b53ff28c98f
child 171494 a1b396e1f1ddce9877f46fdeced7adc52d822f71
push id270
push userpvanderbeken@mozilla.com
push dateThu, 06 Mar 2014 09:24:21 +0000
reviewersjandem
bugs957004
milestone30.0a1
Bug 957004 - Guard against object being lazily typed in IsPackedArray self-hosting intrinsic. r=jandem
js/src/jit-test/tests/self-hosting/bug957004.js
js/src/vm/SelfHosting.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/self-hosting/bug957004.js
@@ -0,0 +1,3 @@
+// No result, just mustn't crash.
+Array.prototype.push(0);
+Array.prototype.indexOf();
--- a/js/src/vm/SelfHosting.cpp
+++ b/js/src/vm/SelfHosting.cpp
@@ -477,17 +477,17 @@ js::intrinsic_HaveSameClass(JSContext *c
 bool
 js::intrinsic_IsPackedArray(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     JS_ASSERT(args.length() == 1);
     JS_ASSERT(args[0].isObject());
 
     JSObject *obj = &args[0].toObject();
-    bool isPacked = obj->is<ArrayObject>() &&
+    bool isPacked = obj->is<ArrayObject>() && !obj->hasLazyType() &&
                     !obj->type()->hasAllFlags(types::OBJECT_FLAG_NON_PACKED) &&
                     obj->getDenseInitializedLength() == obj->as<ArrayObject>().length();
 
     args.rval().setBoolean(isPacked);
     return true;
 }
 
 static bool