Bug 1500255 - Handle objects with null prototype in stub-generator for oob array setelems. r=tcampbell

js/src/jit-test/tests/cacheir/bug1500255.js

@@ -0,0 +1,10 @@
+
+setJitCompilerOption("offthread-compilation.enable", 0);
+setJitCompilerOption("ion.warmup.trigger", 0);
+
+foo();
+
+function foo() {
+    Array.prototype.__proto__ = null;
+    Array.prototype[1] = 'bar';
+}

js/src/jit/CacheIR.cpp

@@ -4093,7 +4093,9 @@ SetPropIRGenerator::tryAttachAddOrUpdateSparseElement(HandleObject obj, ObjOpera
     }
 
     // Indexed properties on the prototype chain aren't handled by the helper.
-    if (ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype())) {
+    if ((aobj->staticPrototype() != nullptr) &&
+        ObjectMayHaveExtraIndexedProperties(aobj->staticPrototype()))
+    {
         return false;
     }