commit 49150a9a555a73e21dc20181c204b6003b17c167
parent d210ff281f35b299fca956f2555cb6064e2cc679
Author: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 11 Nov 2025 16:04:27 +0000
Bug 1998050 - Check for typed array index in canAttachAddSlotStub. r=iain
Differential Revision: https://phabricator.services.mozilla.com/D271224
Diffstat:
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
@@ -5478,12 +5478,13 @@ bool SetPropIRGenerator::canAttachAddSlotStub(HandleObject obj, HandleId id) {
return false;
}
} else {
- // Normal Case: If property exists this isn't an "add"
+ // Normal Case: If property exists or is an OOB typed array index, this
+ // isn't an "add".
PropertyResult prop;
if (!LookupOwnPropertyPure(cx_, nobj, id, &prop)) {
return false;
}
- if (prop.isFound()) {
+ if (prop.isFound() || prop.isTypedArrayOutOfRange()) {
return false;
}
}
@@ -5587,6 +5588,10 @@ AttachDecision SetPropIRGenerator::tryAttachAddSlotStub(
}
JSObject* obj = &lhsVal_.toObject();
+ if (!obj->is<NativeObject>()) {
+ return AttachDecision::NoAction;
+ }
+ NativeObject* nobj = &obj->as<NativeObject>();
PropertyResult prop;
if (!LookupOwnPropertyPure(cx_, obj, id, &prop)) {
@@ -5596,11 +5601,7 @@ AttachDecision SetPropIRGenerator::tryAttachAddSlotStub(
return AttachDecision::NoAction;
}
- if (!obj->is<NativeObject>()) {
- return AttachDecision::NoAction;
- }
- auto* nobj = &obj->as<NativeObject>();
-
+ MOZ_RELEASE_ASSERT(prop.isNativeProperty());
PropertyInfo propInfo = prop.propertyInfo();
NativeObject* holder = nobj;
@@ -5612,6 +5613,7 @@ AttachDecision SetPropIRGenerator::tryAttachAddSlotStub(
// The property must be the last added property of the object.
SharedShape* newShape = holder->sharedShape();
+ MOZ_RELEASE_ASSERT(oldShape != newShape);
MOZ_RELEASE_ASSERT(newShape->lastProperty() == propInfo);
#ifdef DEBUG
