From b3042b928d829c1583ef88af8b3034cfccb06ebe Mon Sep 17 00:00:00 2001 From: Brendan Eich Date: Mon, 1 Sep 2008 13:59:30 -0700 Subject: [PATCH] Holey single-element dense array has null dslots, requires nulld defense (453173). --- js/src/jstracer.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp index 476f9e4ce9f..7df25830957 100644 --- a/js/src/jstracer.cpp +++ b/js/src/jstracer.cpp @@ -4950,7 +4950,8 @@ TraceRecorder::record_JSOP_ENDINIT() JSObject* obj = JSVAL_TO_OBJECT(v); if (OBJ_IS_DENSE_ARRAY(cx, obj)) { // Until we get JSOP_NEWARRAY working, we do our optimizing here... - if (obj->fslots[JSSLOT_ARRAY_LENGTH] == 1 && JSVAL_IS_STRING(obj->dslots[0])) { + if (obj->fslots[JSSLOT_ARRAY_LENGTH] == 1 && + obj->dslots && JSVAL_IS_STRING(obj->dslots[0])) { LIns* v_ins = get(&v); JS_ASSERT(v_ins->isCall() && v_ins->fid() == F_FastNewArray); LIns* args[] = { stack(1), callArgN(v_ins, 1), cx_ins };