Fix crash in object-wrapped string length IC (bug 623474, r=dvander).

js/src/jit-test/tests/jaeger/bug623474.js

@@ -0,0 +1,10 @@
+for (var j=0;j<2;++j) { (function(o){o.length})(String.prototype); }
+
+for each(let y in [Number, Number]) {
+    try {
+        "".length()
+    } catch(e) {}
+}
+
+/* Don't crash. */
+

js/src/methodjit/PolyIC.cpp

@@ -905,8 +905,9 @@ class GetPropCompiler : public PICStubCompiler
         Assembler masm;
 
         Jump notStringObj = masm.testObjClass(Assembler::NotEqual, pic.objReg, obj->getClass());
-        masm.loadPayload(Address(pic.objReg, JSObject::getFixedSlotOffset(
-                         JSObject::JSSLOT_PRIMITIVE_THIS)), pic.objReg);
+        masm.loadPtr(Address(pic.objReg, offsetof(JSObject, slots)), pic.objReg);
+        masm.loadPayload(Address(pic.objReg, JSObject::JSSLOT_PRIMITIVE_THIS * sizeof(Value)),
+                         pic.objReg);
         masm.loadPtr(Address(pic.objReg, JSString::offsetOfLengthAndFlags()), pic.objReg);
         masm.urshift32(Imm32(JSString::LENGTH_SHIFT), pic.objReg);
         masm.move(ImmType(JSVAL_TYPE_INT32), pic.shapeReg);