Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-08 12:37:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[INFER] Always ensure obj->numSlots() >= obj->slotSpan() after its scope has been initialized, bug 642326.

Browse Source
This commit is contained in:
Brian Hackett 2011-03-16 18:59:20 -07:00
parent f07e7c981f
commit 5c3642f6c0
2 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
js/src/jit-test/tests/basic/bug642326.js Normal file
View File

@ -0,0 +1,4 @@
this.__proto__ = [];
gczeal(2);
gc();
var box = evalcx('lazy');

20
js/src/jsobjinlines.h
View File

@ -989,20 +989,16 @@ InitScopeForObject(JSContext* cx, JSObject* obj, js::Class *clasp, js::types::Ty
/* Share proto's emptyShape only if obj is similar to proto. */
js::EmptyShape *empty = NULL;
if (type && type->canProvideEmptyShape(clasp)) {
empty = type->getEmptyShape(cx, clasp, kind);
if (!empty)
goto bad;
}
uint32 freeslot = JSSLOT_FREE(clasp);
if (freeslot > obj->numSlots() && !obj->allocSlots(cx, freeslot))
goto bad;
if (!empty) {
if (type && type->canProvideEmptyShape(clasp))
empty = type->getEmptyShape(cx, clasp, kind);
else
empty = js::EmptyShape::create(cx, clasp);
if (!empty)
goto bad;
uint32 freeslot = JSSLOT_FREE(clasp);
if (freeslot > obj->numSlots() && !obj->allocSlots(cx, freeslot))
goto bad;
}
if (!empty)
goto bad;
obj->setMap(empty);
return true;