Bug 1704451: Fix ShapeSnapshotObject::trace r=jandem

Not sure if the change in `finalize` is strictly necessary, but I included it just in case.

Differential Revision: https://phabricator.services.mozilla.com/D111706

js/src/builtin/TestingFunctions.cpp

@@ -4535,6 +4535,11 @@ class ShapeSnapshotObject : public NativeObject {
   static const JSClassOps classOps_;
   static const JSClass class_;
 
+  bool hasSnapshot() const {
+    // The snapshot may not be present yet if we GC during initialization.
+    return !getSlot(SnapshotSlot).isUndefined();
+  }
+
   ShapeSnapshot& snapshot() const {
     void* ptr = getSlot(SnapshotSlot).toPrivate();
     MOZ_ASSERT(ptr);
@@ -4544,10 +4549,14 @@ class ShapeSnapshotObject : public NativeObject {
   static ShapeSnapshotObject* create(JSContext* cx, HandleObject obj);
 
   static void finalize(JSFreeOp* fop, JSObject* obj) {
-    js_delete(&obj->as<ShapeSnapshotObject>().snapshot());
+    if (obj->as<ShapeSnapshotObject>().hasSnapshot()) {
+      js_delete(&obj->as<ShapeSnapshotObject>().snapshot());
+    }
   }
   static void trace(JSTracer* trc, JSObject* obj) {
-    obj->as<ShapeSnapshotObject>().snapshot().trace(trc);
+    if (obj->as<ShapeSnapshotObject>().hasSnapshot()) {
+      obj->as<ShapeSnapshotObject>().snapshot().trace(trc);
+    }
   }
 };
 

js/src/jit-test/tests/gc/bug1704451.js

@@ -0,0 +1,6 @@
+// |jit-test| skip-if: !('gczeal' in this)
+
+enableShellAllocationMetadataBuilder();
+gczeal(9,1);
+var o86 = {x76: 1, y86: 2};
+var snapshot = createShapeSnapshot(o86);