Bug 1252707. r=terrence
authorRyan VanderMeulen <ryanvm@gmail.com>
Sat, 19 Mar 2016 15:16:30 -0400
changeset 289568 b6daac63d773b34f2edb9bbdbf6c31ebe63a85bb
parent 289567 7c4757cf0988f7853acde2793abe8b6cabcc86b4
child 289569 577b8fb1479a8a10ecec8276a6b3be942500e946
push id19656
push usergwagner@mozilla.com
push dateMon, 04 Apr 2016 13:43:23 +0000
treeherderb2g-inbound@e99061fde28a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersterrence
bugs1252707
milestone48.0a1
Bug 1252707. r=terrence
js/src/vm/Shape.cpp
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -394,18 +394,20 @@ NativeObject::getChildPropertyOnDictiona
     RootedShape shape(cx);
 
     if (obj->inDictionaryMode()) {
         MOZ_ASSERT(parent == obj->lastProperty());
         shape = child.isAccessorShape() ? Allocate<AccessorShape>(cx) : Allocate<Shape>(cx);
         if (!shape)
             return nullptr;
         if (child.hasSlot() && child.slot() >= obj->lastProperty()->base()->slotSpan()) {
-            if (!obj->setSlotSpan(cx, child.slot() + 1))
+            if (!obj->setSlotSpan(cx, child.slot() + 1)) {
+                new (shape) Shape(obj->lastProperty()->base()->unowned(), 0);
                 return nullptr;
+            }
         }
         shape->initDictionaryShape(child, obj->numFixedSlots(), &obj->shape_);
     }
 
     return shape;
 }
 
 /* static */ Shape*