Bug 792944 - Idempotent caches should reject singleton properties that require monitoring. r=dvander

js/src/ion/IonCaches.cpp

@@ -278,6 +278,18 @@ TryAttachNativeStub(JSContext *cx, IonCacheGetProperty &cache, HandleObject obj,
     if (!IsCacheableGetProp(obj, holder, shape))
         return true;
 
+    // TI infers the possible types of native object properties. There's one
+    // edge case though: for singleton objects it does not add the initial
+    // "undefined" type, see the propertySet comment in jsinfer.h. We can't
+    // monitor the return type inside an idempotent cache though, so we don't
+    // handle this case.
+    if (cache.idempotent() &&
+        holder->hasSingletonType() &&
+        holder->getSlot(shape->slot()).isUndefined())
+    {
+        return true;
+    }
+
     *isCacheableNative = true;
 
     if (cache.stubCount() < MAX_STUBS) {

js/src/jit-test/tests/ion/bug792944.js

@@ -0,0 +1,13 @@
+function whoo() {
+    (new Object()).foo()
+}
+Object.prototype.foo = function() { return undefined };
+whoo();
+Object.prototype.foo = undefined;
+gc();
+try {
+    whoo();
+    assertEq(0, 1);
+} catch(e) {
+    assertEq(e instanceof TypeError, true);
+}