Bug 1789821: Don't DCE MMinMaxArray r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D156881

js/src/jit-test/tests/warp/bug1789821.js

@@ -0,0 +1,14 @@
+function foo(x) {
+  Math.max(...[x]);
+}
+
+with ({}) {}
+for (let i = 0; i < 100; i++) {
+  foo(0);
+}
+
+let called = false;
+const evil = { valueOf: () => { called = true; } };
+foo(evil);
+
+assertEq(called, true);

js/src/jit/MIR.h

@@ -4430,6 +4430,11 @@ class MMinMaxArray : public MUnaryInstruction, public SingleObjectPolicy::Data {
       : MUnaryInstruction(classOpcode, array), isMax_(isMax) {
     MOZ_ASSERT(type == MIRType::Int32 || type == MIRType::Double);
     setResultType(type);
+
+    // We can't DCE this, even if the result is unused, in case one of the
+    // elements of the array is an object with a `valueOf` function that
+    // must be called.
+    setGuard();
   }
 
  public: