From 14e879800f4cf7c99987fed826710ef4a301e25e Mon Sep 17 00:00:00 2001
From: Jeff Walden <jwalden@mit.edu>
Date: Sat, 4 Apr 2009 16:55:51 -0700
Subject: [PATCH] Bug 486578 - TM: "Assertion failure: scope->object == pobj"
 with function, __proto__, length.  r=gal

---
 js/src/jstracer.cpp  |  5 +++++
 js/src/trace-test.js | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
index 73ab8b43b96..5cf8fb41e73 100644
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -5933,6 +5933,11 @@ TraceRecorder::test_property_cache(JSObject* obj, LIns* obj_ins, JSObject*& obj2
                 ABORT_TRACE("failed to lookup property");
 
             if (prop) {
+                if (!OBJ_IS_NATIVE(obj2)) {
+                    OBJ_DROP_PROPERTY(cx, obj2, prop);
+                    ABORT_TRACE("property found on non-native object");
+                }
+
                 js_FillPropertyCache(cx, aobj, OBJ_SHAPE(aobj), 0, protoIndex, obj2,
                                      (JSScopeProperty*) prop, &entry);
             }
diff --git a/js/src/trace-test.js b/js/src/trace-test.js
index ff32d6cfb38..84d994400dd 100644
--- a/js/src/trace-test.js
+++ b/js/src/trace-test.js
@@ -4790,6 +4790,28 @@ testNewWithNonNativeProto.jitstats = {
 };
 test(testNewWithNonNativeProto);
 
+function testLengthOnNonNativeProto()
+{
+  var o = {};
+  o.__proto__ = [3];
+  for (var j = 0; j < 5; j++)
+    o[0];
+
+  var o2 = {};
+  o2.__proto__ = [];
+  for (var j = 0; j < 5; j++)
+    o2.length;
+
+  function foo() { }
+  foo.__proto__ = [];
+  for (var j = 0; j < 5; j++)
+    foo.length;
+
+  return "no assertion";
+}
+testLengthOnNonNativeProto.expected = "no assertion";
+test(testLengthOnNonNativeProto);
+
 
 /*****************************************************************************
  *                                                                           *