Bug 608868 part 2: verify that scope chain start is native before IC'ing, r=dvander, a=beta8+

--HG-- extra : rebase_source : e0ea8c99782f6518f7973648ed157fd7bb8b35d5
2024-10-21 01:05:45 +00:00 · 2010-11-09 12:28:11 -08:00 · 2010-11-09 12:28:11 -08:00 · 69ca130772
commit 69ca130772
parent 6883249799
1 changed files with 2 additions and 0 deletions
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@ -697,6 +697,8 @@ struct GetPropertyHelper {
            return ic.error(cx);
        if (!prop)
            return ic.disable(cx, "lookup failed");
+        if (!obj->isNative())
+            return ic.disable(cx, "non-native");
        if (!IsCacheableProtoChain(obj, holder))
            return ic.disable(cx, "non-native holder");
        shape = (const Shape *)prop;