From b339a09859bab97640be54b24a31dad8b9be9255 Mon Sep 17 00:00:00 2001
From: Iain Ireland <iireland@mozilla.com>
Date: Tue, 13 Apr 2021 16:52:20 +0000
Subject: [PATCH] Bug 1704451: Fix ShapeSnapshotObject::trace r=jandem

Not sure if the change in `finalize` is strictly necessary, but I included it just in case.

Differential Revision: https://phabricator.services.mozilla.com/D111706
---
 js/src/builtin/TestingFunctions.cpp    | 13 +++++++++++--
 js/src/jit-test/tests/gc/bug1704451.js |  6 ++++++
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/gc/bug1704451.js

diff --git a/js/src/builtin/TestingFunctions.cpp b/js/src/builtin/TestingFunctions.cpp
index b2bab01c1e8f..3fe564b04d41 100644
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -4535,6 +4535,11 @@ class ShapeSnapshotObject : public NativeObject {
   static const JSClassOps classOps_;
   static const JSClass class_;
 
+  bool hasSnapshot() const {
+    // The snapshot may not be present yet if we GC during initialization.
+    return !getSlot(SnapshotSlot).isUndefined();
+  }
+
   ShapeSnapshot& snapshot() const {
     void* ptr = getSlot(SnapshotSlot).toPrivate();
     MOZ_ASSERT(ptr);
@@ -4544,10 +4549,14 @@ class ShapeSnapshotObject : public NativeObject {
   static ShapeSnapshotObject* create(JSContext* cx, HandleObject obj);
 
   static void finalize(JSFreeOp* fop, JSObject* obj) {
-    js_delete(&obj->as<ShapeSnapshotObject>().snapshot());
+    if (obj->as<ShapeSnapshotObject>().hasSnapshot()) {
+      js_delete(&obj->as<ShapeSnapshotObject>().snapshot());
+    }
   }
   static void trace(JSTracer* trc, JSObject* obj) {
-    obj->as<ShapeSnapshotObject>().snapshot().trace(trc);
+    if (obj->as<ShapeSnapshotObject>().hasSnapshot()) {
+      obj->as<ShapeSnapshotObject>().snapshot().trace(trc);
+    }
   }
 };
 
diff --git a/js/src/jit-test/tests/gc/bug1704451.js b/js/src/jit-test/tests/gc/bug1704451.js
new file mode 100644
index 000000000000..d4b4d14995d8
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug1704451.js
@@ -0,0 +1,6 @@
+// |jit-test| skip-if: !('gczeal' in this)
+
+enableShellAllocationMetadataBuilder();
+gczeal(9,1);
+var o86 = {x76: 1, y86: 2};
+var snapshot = createShapeSnapshot(o86);