From 9e0ae18aff6ca3225316f48ff8d0ce482acfab0c Mon Sep 17 00:00:00 2001
From: David Mandelin <dmandelin@mozilla.com>
Date: Tue, 9 Nov 2010 12:28:11 -0800
Subject: [PATCH] Bug 608868 part 2: verify that scope chain start is native
 before IC'ing, r=dvander, a=beta8+

--HG--
extra : rebase_source : e0ea8c99782f6518f7973648ed157fd7bb8b35d5
---
 js/src/methodjit/PolyIC.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp
index c0a56844471..8c72be215d1 100644
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -697,6 +697,8 @@ struct GetPropertyHelper {
             return ic.error(cx);
         if (!prop)
             return ic.disable(cx, "lookup failed");
+        if (!obj->isNative())
+            return ic.disable(cx, "non-native");
         if (!IsCacheableProtoChain(obj, holder))
             return ic.disable(cx, "non-native holder");
         shape = (const Shape *)prop;