Commit 65d48642 authored by Till Schneidereit's avatar Till Schneidereit
Browse files

Bug 957004 - Guard against object being lazily typed in IsPackedArray... 

Bug 957004 - Guard against object being lazily typed in IsPackedArray self-hosting intrinsic. r=jandem

--HG--
extra : rebase_source : 824ff8327c37b430d600dd2fc070fac793f1cf1c
parent 3aa46dfe

js/src/jit-test/tests/self-hosting/bug957004.js

0 → 100644
+3 −0
Original line number Diff line number Diff line 
// No result, just mustn't crash.

Array.prototype.push(0);

Array.prototype.indexOf();

js/src/vm/SelfHosting.cpp

+1 −1
Original line number Diff line number Diff line
@@ -482,7 +482,7 @@ js::intrinsic_IsPackedArray(JSContext *cx, unsigned argc, Value *vp) 
    JS_ASSERT(args[0].isObject());



    JSObject *obj = &args[0].toObject();

    bool isPacked = obj->is<ArrayObject>() &&

    bool isPacked = obj->is<ArrayObject>() && !obj->hasLazyType() &&

                    !obj->type()->hasAllFlags(types::OBJECT_FLAG_NON_PACKED) &&

                    obj->getDenseInitializedLength() == obj->as<ArrayObject>().length();