Holey single-element dense array has null dslots, requires nulld defense (453173).

2024-09-13 09:24:08 -07:00 · 2008-09-01 13:59:30 -07:00 · 2008-09-01 13:59:30 -07:00 · b3042b928d
commit b3042b928d
parent cda5a77a1b
1 changed files with 2 additions and 1 deletions
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@ -4950,7 +4950,8 @@ TraceRecorder::record_JSOP_ENDINIT()
    JSObject* obj = JSVAL_TO_OBJECT(v);
    if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
        // Until we get JSOP_NEWARRAY working, we do our optimizing here...
-        if (obj->fslots[JSSLOT_ARRAY_LENGTH] == 1 && JSVAL_IS_STRING(obj->dslots[0])) {
+        if (obj->fslots[JSSLOT_ARRAY_LENGTH] == 1 &&
+            obj->dslots && JSVAL_IS_STRING(obj->dslots[0])) {
            LIns* v_ins = get(&v);
            JS_ASSERT(v_ins->isCall() && v_ins->fid() == F_FastNewArray);
            LIns* args[] = { stack(1), callArgN(v_ins, 1), cx_ins };