Bug 1265159 - IonMonkey: Throw error when popping from an empty array in MArrayPopShift, r=jandem

js/src/jit-test/tests/ion/bug1265159.js

@@ -0,0 +1,17 @@
+
+var thrown = false;
+try {
+    x = [0];
+    for (var i = 0; i < 5; ++i) {
+        if (i == 3)
+            Object.freeze(x);
+        else
+            x.pop();
+    }
+} catch (e) {
+    thrown = true;
+    assertEq(e instanceof TypeError, true);
+}
+
+assertEq(thrown, true);
+

js/src/jit/CodeGenerator.cpp

@@ -8134,6 +8134,17 @@ CodeGenerator::emitArrayPopShift(LInstruction* lir, const MArrayPopShift* mir, R
     if (mir->maybeUndefined()) {
         Label notEmpty;
         masm.branchTest32(Assembler::NonZero, lengthTemp, lengthTemp, &notEmpty);
+
+        // According to the spec we need to set the length 0 (which is already 0).
+        // This is observable when the array length is made non-writable.
+        // Handle this case in the OOL. When freezing an unboxed array it is converted
+        // to an normal array.
+        if (mir->unboxedType() == JSVAL_TYPE_MAGIC) {
+            Address elementFlags(elementsTemp, ObjectElements::offsetOfFlags());
+            Imm32 bit(ObjectElements::NONWRITABLE_ARRAY_LENGTH);
+            masm.branchTest32(Assembler::NonZero, elementFlags, bit, ool->entry());
+        }
+
         masm.moveValue(UndefinedValue(), out.valueReg());
         masm.jump(&done);
         masm.bind(&notEmpty);