Bug 1437507 - Fix JSObject::setFlags to call ensureShape before checking for dictionary mode. r=jandem, a=RyanVM
authorBrian Hackett <bhackett1024@gmail.com>
Fri, 23 Feb 2018 13:25:53 -0500
changeset 452549 9d7c295d9570e294851908465f56ec0779547d2a
parent 452548 2811aeb13e515b168c7a0fe282d1f88c4664d877
child 452550 b04d72c7cb7fe614ea4fe2c2e3a60f88dcd36cee
push id8763
push userryanvm@gmail.com
push dateFri, 23 Feb 2018 22:07:57 +0000
treeherdermozilla-beta@e9b426dbf633 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, RyanVM
bugs1437507
milestone59.0
Bug 1437507 - Fix JSObject::setFlags to call ensureShape before checking for dictionary mode. r=jandem, a=RyanVM
js/src/vm/Shape.cpp
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -1324,35 +1324,35 @@ NativeObject::shadowingShapeChange(JSCon
 
 /* static */ bool
 JSObject::setFlags(JSContext* cx, HandleObject obj, BaseShape::Flag flags,
                    GenerateShape generateShape)
 {
     if (obj->hasAllFlags(flags))
         return true;
 
+    Shape* existingShape = obj->ensureShape(cx);
+    if (!existingShape)
+        return false;
+
     if (obj->isNative() && obj->as<NativeObject>().inDictionaryMode()) {
         if (generateShape == GENERATE_SHAPE) {
             if (!NativeObject::generateOwnShape(cx, obj.as<NativeObject>()))
                 return false;
         }
         StackBaseShape base(obj->as<NativeObject>().lastProperty());
         base.flags |= flags;
         UnownedBaseShape* nbase = BaseShape::getUnowned(cx, base);
         if (!nbase)
             return false;
 
         obj->as<NativeObject>().lastProperty()->base()->adoptUnowned(nbase);
         return true;
     }
 
-    Shape* existingShape = obj->ensureShape(cx);
-    if (!existingShape)
-        return false;
-
     Shape* newShape = Shape::setObjectFlags(cx, flags, obj->taggedProto(), existingShape);
     if (!newShape)
         return false;
 
     // The success of the |JSObject::ensureShape| call above means that |obj|
     // can be assumed to have a shape.
     obj->as<ShapedObject>().setShape(newShape);