[INFER] Use unique shapes when cloning objects, bug 619433.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 16 Mar 2011 18:33:46 -0700
changeset 74791 b52e42c624430bb7d5941e6de649e34a425eeaa6
parent 74790 404ae1c24c643441f81d054a5f58bac6270df659
child 74792 64a9e21c196af53afa3d457923df7997d272f7c9
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs619433
milestone2.0b13pre
[INFER] Use unique shapes when cloning objects, bug 619433.
js/src/jsfun.cpp
js/src/jsobj.cpp
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -2865,26 +2865,26 @@ js_CloneFunctionObject(JSContext *cx, JS
 
     JSObject *clone;
     if (cx->compartment == fun->compartment()) {
         /*
          * The cloned function object does not need the extra JSFunction members
          * beyond JSObject as it points to fun via the private slot.
          */
         clone = NewNativeClassInstance(cx, &js_FunctionClass, proto, parent);
-        if (!clone || !clone->setTypeAndEmptyShape(cx, type))
+        if (!clone || !clone->setTypeAndUniqueShape(cx, type))
             return NULL;
         clone->setPrivate(fun);
     } else {
         /*
          * Across compartments we have to deep copy JSFunction and clone the
          * script (for interpreted functions).
          */
         clone = NewFunction(cx, parent);
-        if (!clone || !clone->setTypeAndEmptyShape(cx, type))
+        if (!clone || !clone->setTypeAndUniqueShape(cx, type))
             return NULL;
 
         JSFunction *cfun = (JSFunction *) clone;
         cfun->nargs = fun->nargs;
         cfun->flags = fun->flags;
         cfun->u = fun->getFunctionPrivate()->u;
         cfun->atom = fun->atom;
         clone->setPrivate(cfun);
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -3553,22 +3553,18 @@ JSObject::clone(JSContext *cx, JSObject 
         }
     }
     JSObject *clone = NewObject<WithProto::Given>(cx, getClass(),
                                                   proto, parent,
                                                   gc::FinalizeKind(finalizeKind()));
     if (!clone)
         return NULL;
     if (getProto() == proto) {
-        if (isNative()) {
-            if (!clone->setTypeAndEmptyShape(cx, getType()))
-                return NULL;
-        } else {
-            clone->setType(getType());
-        }
+        if (!clone->setTypeAndUniqueShape(cx, getType()))
+            return NULL;
     }
     if (isNative()) {
         if (clone->isFunction() && (compartment() != clone->compartment())) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                                  JSMSG_CANT_CLONE_OBJECT);
             return NULL;
         }