From b22dfbd773138f19671f8bf3553e447a91b8d623 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Sat, 23 Mar 2019 11:39:13 -0700
Subject: [PATCH] chemspill: M1537924 M1538006 (backported to ESR45)

---
 js/src/jit/MIR.cpp | 9 +++++++--
 js/src/jit/MIR.h   | 4 ----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/js/src/jit/MIR.cpp b/js/src/jit/MIR.cpp
index e757498c6..f15de7870 100644
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -5554,8 +5554,10 @@ jit::PropertyWriteNeedsTypeBarrier(TempAllocator& alloc, CompilerConstraintList*
     bool success = true;
     for (size_t i = 0; i < types->getObjectCount(); i++) {
         TypeSet::ObjectKey* key = types->getObject(i);
-        if (!key || key->unknownProperties())
+        if (!key)
             continue;
+        if (!key->hasStableClassAndProto(constraints))
+            return true;
 
         // TI doesn't track TypedArray indexes and should never insert a type
         // barrier for them.
@@ -5607,8 +5609,11 @@ jit::PropertyWriteNeedsTypeBarrier(TempAllocator& alloc, CompilerConstraintList*
     TypeSet::ObjectKey* excluded = nullptr;
     for (size_t i = 0; i < types->getObjectCount(); i++) {
         TypeSet::ObjectKey* key = types->getObject(i);
-        if (!key || key->unknownProperties())
+        if (!key)
             continue;
+        if (!key->hasStableClassAndProto(constraints))
+            return true;
+
         if (!name && IsAnyTypedArrayClass(key->clasp()))
             continue;
 
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index d94ec4c9d..d1d068acc 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -9503,10 +9503,6 @@ class MArraySlice
         return unboxedType_;
     }
 
-    AliasSet getAliasSet() const override {
-        return AliasSet::Store(AliasSet::BoxedOrUnboxedElements(unboxedType()) |
-                               AliasSet::ObjectFields);
-    }
     bool possiblyCalls() const override {
         return true;
     }