Bug 1077041 - NativeObject::copy, Only copy the minimum between the number of fixed slot and the span of the shape. r=jandem
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Fri, 03 Oct 2014 17:37:57 +0200
changeset 231971 43f525528c4291b5d761544d985bb3fff39d2309
parent 231926 91ffa2ab03aa45d35668db72612e32049d8b241b
child 231972 414bc3c04877637abc5256196fd030af41327523
push id4187
push userbhearsum@mozilla.com
push dateFri, 28 Nov 2014 15:29:12 +0000
treeherdermozilla-beta@f23cc6a30c11 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1077041
milestone35.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1077041 - NativeObject::copy, Only copy the minimum between the number of fixed slot and the span of the shape. r=jandem
js/src/vm/ObjectImpl-inl.h
--- a/js/src/vm/ObjectImpl-inl.h
+++ b/js/src/vm/ObjectImpl-inl.h
@@ -323,17 +323,20 @@ NativeObject::copy(ExclusiveContext *cx,
     if (!baseObj)
         return nullptr;
     NativeObject *obj = &baseObj->as<NativeObject>();
 
     size_t span = shape->slotSpan();
     if (span) {
         uint32_t numFixed = templateObject->numFixedSlots();
         const Value *fixed = &templateObject->getSlot(0);
-        MOZ_ASSERT(numFixed <= span);
+        // Only copy elements which are registered in the shape, even if the
+        // number of fixed slots is larger.
+        if (span < numFixed)
+            numFixed = span;
         obj->copySlotRange(0, fixed, numFixed);
 
         if (numFixed < span) {
             uint32_t numSlots = span - numFixed;
             const Value *slots = &templateObject->getSlot(numFixed);
             obj->copySlotRange(numFixed, slots, numSlots);
         }
     }