Bug 1538006 - Propagate unknownProperties when changing prototype. r=jandem, a=dveditz
authorTed Campbell <tcampbell@mozilla.com>
Thu, 21 Mar 2019 22:36:46 +0000
changeset 519989 eebf74de1376d74e42b78351b00cee6d3293f92d
parent 519988 e8e770918af7d9ef0de4b2a7e6a804db3c693d06
child 519990 662e97c691037298df2971fea3def0bb19fe3f93
push id206229
push userryanvm@gmail.com
push dateFri, 22 Mar 2019 01:31:40 +0000
reviewersjandem, dveditz
bugs1538006
milestone66.0.1
Bug 1538006 - Propagate unknownProperties when changing prototype. r=jandem, a=dveditz Differential Revision: https://phabricator.services.mozilla.com/D24446
js/src/vm/NativeObject.cpp
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -1257,22 +1257,25 @@ static MOZ_ALWAYS_INLINE void UpdateShap
 }
 
 void js::AddPropertyTypesAfterProtoChange(JSContext* cx, NativeObject* obj,
                                           ObjectGroup* oldGroup) {
   AutoSweepObjectGroup sweepObjGroup(obj->group());
   MOZ_ASSERT(obj->group() != oldGroup);
   MOZ_ASSERT(!obj->group()->unknownProperties(sweepObjGroup));
 
+  AutoSweepObjectGroup sweepOldGroup(oldGroup);
+  if (oldGroup->unknownProperties(sweepOldGroup)) {
+    MarkObjectGroupUnknownProperties(cx, obj->group());
+    return;
+  }
+
   // First copy the dynamic flags.
-  AutoSweepObjectGroup sweepOldGroup(oldGroup);
   MarkObjectGroupFlags(
-      cx, obj,
-      oldGroup->flags(sweepOldGroup) &
-          (OBJECT_FLAG_DYNAMIC_MASK & ~OBJECT_FLAG_UNKNOWN_PROPERTIES));
+      cx, obj, oldGroup->flags(sweepOldGroup) & OBJECT_FLAG_DYNAMIC_MASK);
 
   // Now update all property types. If the object has many properties, this
   // function may be slow so we mark all properties as unknown.
   static const size_t MaxPropertyCount = 40;
 
   size_t nprops = obj->getDenseInitializedLength();
   if (nprops > MaxPropertyCount) {
     MarkObjectGroupUnknownProperties(cx, obj->group());