bug 657227 - IsCacheableProtoChain must check for a null proto. r=dvander

js/src/jit-test/tests/basic/bug657227.js

@@ -0,0 +1,37 @@
+var obj;
+var counter = 0;
+var p = Proxy.create({
+    has : function(id) {
+	if (id == 'xyz') {
+	    ++counter;
+	    if (counter == 7) {
+		obj.__proto__ = null;
+	    }
+	    return true;
+	}
+	return false;
+    },
+    get : function(id) {
+	if (id == 'xyz')
+	    return 10;
+    }
+});
+
+function test()
+{
+    Object.prototype.__proto__ = null;
+    obj = { xyz: 1};
+    var n = 0;
+    for (var i = 0; i != 100; ++i) {
+	var s = obj.xyz;
+	if (s)
+	    ++n;
+	if (i == 10) {
+	    delete obj.xyz;
+	    Object.prototype.__proto__ = p;
+	}
+
+    }
+}
+
+test();

js/src/methodjit/PolyIC.cpp

@@ -634,8 +634,13 @@ static bool
 IsCacheableProtoChain(JSObject *obj, JSObject *holder)
 {
     while (obj != holder) {
+        /*
+         * We cannot assume that we find the holder object on the prototype
+         * chain and must check for null proto. The prototype chain can be
+         * altered during the lookupProperty call.
+         */
         JSObject *proto = obj->getProto();
-        if (!proto->isNative())
+        if (!proto || !proto->isNative())
             return false;
         obj = proto;
     }