Bug 1415883 - Fix some issues in ShiftFromList. r=arai
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 29 Nov 2017 16:03:12 +0100
changeset 394168 2467d71d0e0de20103ce61cdd221461a48e4591b
parent 394167 82cc3d908f2f83c41eef7a4504e69c0fdec27066
child 394169 65010575ea90050945d09baf54eb0b3307bd6ec9
push id97824
push userjandemooij@gmail.com
push dateWed, 29 Nov 2017 15:05:15 +0000
treeherdermozilla-inbound@65010575ea90 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersarai
bugs1415883
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1415883 - Fix some issues in ShiftFromList. r=arai
js/src/vm/List-inl.h
js/src/vm/NativeObject.cpp
--- a/js/src/vm/List-inl.h
+++ b/js/src/vm/List-inl.h
@@ -51,19 +51,19 @@ inline MOZ_MUST_USE T*
 ShiftFromList(JSContext* cx, HandleNativeObject list)
 {
     uint32_t length = list->getDenseInitializedLength();
     MOZ_ASSERT(length > 0);
 
     Rooted<T*> entry(cx, &list->getDenseElement(0).toObject().as<T>());
     if (!list->tryShiftDenseElements(1)) {
         list->moveDenseElements(0, 1, length - 1);
+        list->setDenseInitializedLength(length - 1);
         list->shrinkElements(cx, length - 1);
     }
 
-    list->setDenseInitializedLength(length - 1);
-
+    MOZ_ASSERT(list->getDenseInitializedLength() == length - 1);
     return entry;
 }
 
 } /* namespace js */
 
 #endif /* vm_List_inl_h */
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -992,16 +992,18 @@ NativeObject::growElements(JSContext* cx
 
     return true;
 }
 
 void
 NativeObject::shrinkElements(JSContext* cx, uint32_t reqCapacity)
 {
     MOZ_ASSERT(canHaveNonEmptyElements());
+    MOZ_ASSERT(reqCapacity >= getDenseInitializedLength());
+
     if (denseElementsAreCopyOnWrite())
         MOZ_CRASH();
 
     if (!hasDynamicElements())
         return;
 
     // If we have shifted elements, consider moving them.
     uint32_t numShifted = getElementsHeader()->numShiftedElements();