Bug 1305099 - Fix race updating COW elements pointer after compacting GC r=sfink

This commit is contained in:
Jon Coppeard 2016-10-04 17:10:32 +02:00
parent 8240adec88
commit 9978ef7ab0

View File

@ -1860,7 +1860,11 @@ JSObject::fixupAfterMovingGC()
if (is<NativeObject>()) {
NativeObject& obj = as<NativeObject>();
if (obj.denseElementsAreCopyOnWrite()) {
NativeObject* owner = MaybeForwarded(obj.getElementsHeader()->ownerObject().get());
NativeObject* owner = obj.getElementsHeader()->ownerObject();
// Get the new owner pointer but don't call MaybeForwarded as we
// don't need to access the object's shape.
if (IsForwarded(owner))
owner = Forwarded(owner);
if (owner != &obj && owner->hasFixedElements())
obj.elements_ = owner->getElementsHeader()->elements();
MOZ_ASSERT(!IsForwarded(obj.getElementsHeader()->ownerObject().get()));