Bug 1437507 - Fix JSObject::setFlags to call ensureShape before checking for dictionary mode. r=jandem
authorBrian Hackett <bhackett1024@gmail.com>
Fri, 23 Feb 2018 13:25:53 -0500
changeset 405111 ca6b74831ec3db204e024b07f200b0d1ce93557e
parent 405110 c9f0ec7b3f114d122cf4226a1bd8c1b32d81b803
child 405112 8d1e97e0569c09e0904e3f2f41806f3adb2d8b23
push id33502
push userarchaeopteryx@coole-files.de
push dateSat, 24 Feb 2018 00:59:26 +0000
treeherdermozilla-central@1056e048072c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1437507
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1437507 - Fix JSObject::setFlags to call ensureShape before checking for dictionary mode. r=jandem
js/src/vm/Shape.cpp
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -1315,35 +1315,35 @@ NativeObject::replaceWithNewEquivalentSh
 
 /* static */ bool
 JSObject::setFlags(JSContext* cx, HandleObject obj, BaseShape::Flag flags,
                    GenerateShape generateShape)
 {
     if (obj->hasAllFlags(flags))
         return true;
 
+    Shape* existingShape = obj->ensureShape(cx);
+    if (!existingShape)
+        return false;
+
     if (obj->isNative() && obj->as<NativeObject>().inDictionaryMode()) {
         if (generateShape == GENERATE_SHAPE) {
             if (!NativeObject::generateOwnShape(cx, obj.as<NativeObject>()))
                 return false;
         }
         StackBaseShape base(obj->as<NativeObject>().lastProperty());
         base.flags |= flags;
         UnownedBaseShape* nbase = BaseShape::getUnowned(cx, base);
         if (!nbase)
             return false;
 
         obj->as<NativeObject>().lastProperty()->base()->adoptUnowned(nbase);
         return true;
     }
 
-    Shape* existingShape = obj->ensureShape(cx);
-    if (!existingShape)
-        return false;
-
     Shape* newShape = Shape::setObjectFlags(cx, flags, obj->taggedProto(), existingShape);
     if (!newShape)
         return false;
 
     // The success of the |JSObject::ensureShape| call above means that |obj|
     // can be assumed to have a shape.
     obj->as<ShapedObject>().setShape(newShape);