Use canonical function in TypeNewScript::rollbackPartiallyInitializedObjects.

1 files changed, 12 insertions, 1 deletions

diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
index c86345d9c..4775a2dea 100644
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3603,6 +3603,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
     MOZ_ASSERT(!group->newScript());
     MOZ_ASSERT(!group->maybeUnboxedLayout());
 
+    // rollbackPartiallyInitializedObjects expects function_ to be
+    // canonicalized.
+    MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
+
     if (group->unknownProperties())
         return true;
 
@@ -3958,8 +3962,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
                 oomUnsafe.crash("rollbackPartiallyInitializedObjects");
         }
 
-        if (!iter.isConstructing() || !iter.matchCallee(cx, function))
+        if (!iter.isConstructing()) {
+            continue;
+        }
+
+        MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
+
+        if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
             continue;
+        }
 
         // Derived class constructors initialize their this-binding later and
         // we shouldn't run the definite properties analysis on them.