From 3c329f99d69f4b63e5ca93080c8d5d466e145440 Mon Sep 17 00:00:00 2001
From: Iain Ireland <iireland@mozilla.com>
Date: Fri, 9 Sep 2022 16:21:27 +0000
Subject: [PATCH] Bug 1789821: Don't DCE MMinMaxArray r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D156881
---
 js/src/jit-test/tests/warp/bug1789821.js | 14 ++++++++++++++
 js/src/jit/MIR.h                         |  5 +++++
 2 files changed, 19 insertions(+)
 create mode 100644 js/src/jit-test/tests/warp/bug1789821.js

diff --git a/js/src/jit-test/tests/warp/bug1789821.js b/js/src/jit-test/tests/warp/bug1789821.js
new file mode 100644
index 000000000000..b1d3ee9a543f
--- /dev/null
+++ b/js/src/jit-test/tests/warp/bug1789821.js
@@ -0,0 +1,14 @@
+function foo(x) {
+  Math.max(...[x]);
+}
+
+with ({}) {}
+for (let i = 0; i < 100; i++) {
+  foo(0);
+}
+
+let called = false;
+const evil = { valueOf: () => { called = true; } };
+foo(evil);
+
+assertEq(called, true);
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index 49e570d5150f..158a8426c37a 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -4430,6 +4430,11 @@ class MMinMaxArray : public MUnaryInstruction, public SingleObjectPolicy::Data {
       : MUnaryInstruction(classOpcode, array), isMax_(isMax) {
     MOZ_ASSERT(type == MIRType::Int32 || type == MIRType::Double);
     setResultType(type);
+
+    // We can't DCE this, even if the result is unused, in case one of the
+    // elements of the array is an object with a `valueOf` function that
+    // must be called.
+    setGuard();
   }
 
  public: