Mercurial > mozreview > gecko / changeset / 43f525528c4291b5d761544d985bb3fff39d2309
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1077041 - NativeObject::copy, Only copy the minimum between the number of fixed slot and the span of the shape. r=jandem
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Fri, 03 Oct 2014 17:37:57 +0200
changeset 208756 43f525528c4291b5d761544d985bb3fff39d2309
parent 208711 91ffa2ab03aa45d35668db72612e32049d8b241b
child 208757 414bc3c04877637abc5256196fd030af41327523
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersjandem
bugs1077041
milestone35.0a1
Bug 1077041 - NativeObject::copy, Only copy the minimum between the number of fixed slot and the span of the shape. r=jandem
js/src/vm/ObjectImpl-inl.h file | annotate | diff | comparison | revisions 
--- a/js/src/vm/ObjectImpl-inl.h
+++ b/js/src/vm/ObjectImpl-inl.h
@@ -323,17 +323,20 @@ NativeObject::copy(ExclusiveContext *cx,
     if (!baseObj)
         return nullptr;
     NativeObject *obj = &baseObj->as<NativeObject>();
 
     size_t span = shape->slotSpan();
     if (span) {
         uint32_t numFixed = templateObject->numFixedSlots();
         const Value *fixed = &templateObject->getSlot(0);
-        MOZ_ASSERT(numFixed <= span);
+        // Only copy elements which are registered in the shape, even if the
+        // number of fixed slots is larger.
+        if (span < numFixed)
+            numFixed = span;
         obj->copySlotRange(0, fixed, numFixed);
 
         if (numFixed < span) {
             uint32_t numSlots = span - numFixed;
             const Value *slots = &templateObject->getSlot(numFixed);
             obj->copySlotRange(numFixed, slots, numSlots);
         }
     }
gecko
Deployed from e404c980045c at 2021-03-01T18:43:47Z.