Bug 957004 - Guard against object being lazily typed in IsPackedArray self-hosting intrinsic. r=jandem

--HG--
extra : rebase_source : 824ff8327c37b430d600dd2fc070fac793f1cf1c

js/src/jit-test/tests/self-hosting/bug957004.js

@@ -0,0 +1,3 @@
+// No result, just mustn't crash.
+Array.prototype.push(0);
+Array.prototype.indexOf();

js/src/vm/SelfHosting.cpp

@@ -482,7 +482,7 @@ js::intrinsic_IsPackedArray(JSContext *cx, unsigned argc, Value *vp)
     JS_ASSERT(args[0].isObject());
 
     JSObject *obj = &args[0].toObject();
-    bool isPacked = obj->is<ArrayObject>() &&
+    bool isPacked = obj->is<ArrayObject>() && !obj->hasLazyType() &&
                     !obj->type()->hasAllFlags(types::OBJECT_FLAG_NON_PACKED) &&
                     obj->getDenseInitializedLength() == obj->as<ArrayObject>().length();