fix bug 78428 by making sure to use the lesser of the freeslot or nslots value when marking slots. This is necessary because objects can now be in an initial state where the freeslots is a larger number than the nslots - and the actual number of slots in the array. sr=brendan r=beard a=drivers

js/src/jsdbgapi.c

@@ -868,7 +868,7 @@ JS_GetPropertyDescArray(JSContext *cx, JSObject *obj, JSPropertyDescArray *pda)
         return JS_TRUE;
     }
 
-    n = scope->map.freeslot;
+    n = JS_MIN(scope->map.freeslot, scope->map.nslots);
     pd = (JSPropertyDesc *) JS_malloc(cx, (size_t)n * sizeof(JSPropertyDesc));
     if (!pd)
         return JS_FALSE;

js/src/jsgc.c

@@ -819,7 +819,7 @@ js_MarkGCThing(JSContext *cx, void *thing, void *arg)
         }
         nslots = (obj->map->ops->mark)
                  ? obj->map->ops->mark(cx, obj, arg)
-                 : obj->map->freeslot;
+                 : JS_MIN(obj->map->freeslot, obj->map->nslots);
 #ifdef GC_MARK_DEBUG
         scope = OBJ_IS_NATIVE(obj) ? OBJ_SCOPE(obj) : NULL;
 #endif

js/src/jsobj.c

@@ -1786,7 +1786,7 @@ js_AllocSlot(JSContext *cx, JSObject *obj, uint32 *slotp)
     JS_ASSERT(!MAP_IS_NATIVE(map) || ((JSScope *)map)->object == obj);
     nslots = map->nslots;
     if (map->freeslot >= nslots) {
-        nslots = JS_MAX(map->freeslot, nslots);
+        nslots = map->freeslot;
         JS_ASSERT(nslots >= JS_INITIAL_NSLOTS);
         nslots += (nslots + 1) / 2;
 
@@ -3463,7 +3463,7 @@ js_Mark(JSContext *cx, JSObject *obj, void *arg)
          */
         return (uint32) obj->slots[-1];
     }
-    return obj->map->freeslot;
+    return JS_MIN(obj->map->freeslot, obj->map->nslots);
 }
 
 void