commit 6e9b70a60f870dc766dd7ec5be8101e06542435a
parent 30f51c47c12dd9576fb3b0e98bbd7f024a057d4f
Author: Iain Ireland <iireland@mozilla.com>
Date: Thu, 27 Nov 2025 19:28:37 +0000
Bug 2002748: Get expected shape before generating CacheIR r=jandem
Differential Revision: https://phabricator.services.mozilla.com/D274321
Diffstat:
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/js/src/jit-test/tests/cacheir/bug2002748.js b/js/src/jit-test/tests/cacheir/bug2002748.js
@@ -0,0 +1,6 @@
+// |jit-test| --fuzzing-safe; --blinterp-eager; --more-compartments
+
+gczeal(6);
+var x = newGlobal();
+Debugger(x);
+x.eval("new class { constructor() { Object.keys(Object); } }");
diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
@@ -10420,6 +10420,13 @@ AttachDecision InlinableNativeIRGenerator::tryAttachObjectKeys() {
return AttachDecision::NoAction;
}
+ Shape* expectedObjKeysShape =
+ GlobalObject::getArrayShapeWithDefaultProto(cx_);
+ if (!expectedObjKeysShape) {
+ cx_->recoverFromOutOfMemory();
+ return AttachDecision::NoAction;
+ }
+
// Generate cache IR code to attach a new inline cache which will delegate the
// call to Object.keys to the native function.
Int32OperandId argcId = initializeInputOperand();
@@ -10439,13 +10446,6 @@ AttachDecision InlinableNativeIRGenerator::tryAttachObjectKeys() {
// Guard against proxies.
writer.guardIsNotProxy(argObjId);
- Shape* expectedObjKeysShape =
- GlobalObject::getArrayShapeWithDefaultProto(cx_);
- if (!expectedObjKeysShape) {
- cx_->recoverFromOutOfMemory();
- return AttachDecision::NoAction;
- }
-
// Compute the keys array.
writer.objectKeysResult(argObjId, expectedObjKeysShape);
