From 5d62355423610ae29e8a2fded31a3000d911374e Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 25 Sep 2012 16:16:46 +0200
Subject: [PATCH] Bug 792944 - Idempotent caches should reject singleton
 properties that require monitoring. r=dvander

---
 js/src/ion/IonCaches.cpp               | 12 ++++++++++++
 js/src/jit-test/tests/ion/bug792944.js | 13 +++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 js/src/jit-test/tests/ion/bug792944.js

diff --git a/js/src/ion/IonCaches.cpp b/js/src/ion/IonCaches.cpp
index 3bcf56e8bc97..b9bf60a9d054 100644
--- a/js/src/ion/IonCaches.cpp
+++ b/js/src/ion/IonCaches.cpp
@@ -278,6 +278,18 @@ TryAttachNativeStub(JSContext *cx, IonCacheGetProperty &cache, HandleObject obj,
     if (!IsCacheableGetProp(obj, holder, shape))
         return true;
 
+    // TI infers the possible types of native object properties. There's one
+    // edge case though: for singleton objects it does not add the initial
+    // "undefined" type, see the propertySet comment in jsinfer.h. We can't
+    // monitor the return type inside an idempotent cache though, so we don't
+    // handle this case.
+    if (cache.idempotent() &&
+        holder->hasSingletonType() &&
+        holder->getSlot(shape->slot()).isUndefined())
+    {
+        return true;
+    }
+
     *isCacheableNative = true;
 
     if (cache.stubCount() < MAX_STUBS) {
diff --git a/js/src/jit-test/tests/ion/bug792944.js b/js/src/jit-test/tests/ion/bug792944.js
new file mode 100644
index 000000000000..0c4d54bbcdf7
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug792944.js
@@ -0,0 +1,13 @@
+function whoo() {
+    (new Object()).foo()
+}
+Object.prototype.foo = function() { return undefined };
+whoo();
+Object.prototype.foo = undefined;
+gc();
+try {
+    whoo();
+    assertEq(0, 1);
+} catch(e) {
+    assertEq(e instanceof TypeError, true);
+}