Bug 1064346 - JSFunction's extended attributes expect POD-style initialization. r=billm, a=abillings
authorTerrence Cole <terrence@mozilla.com>
Wed, 10 Sep 2014 15:42:36 -0700
changeset 216861 fd4720dd6a46
parent 216860 ac926de428c3
child 216862 97feda79279e
push id3944
push userryanvm@gmail.com
push date2014-09-26 21:25 +0000
treeherdermozilla-beta@fd4720dd6a46 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm, abillings
bugs1064346
milestone33.0
Bug 1064346 - JSFunction's extended attributes expect POD-style initialization. r=billm, a=abillings
js/public/Class.h
js/src/jsobjinlines.h
--- a/js/public/Class.h
+++ b/js/public/Class.h
@@ -465,18 +465,22 @@ struct Class
     bool hasPrivate() const {
         return !!(flags & JSCLASS_HAS_PRIVATE);
     }
 
     bool emulatesUndefined() const {
         return flags & JSCLASS_EMULATES_UNDEFINED;
     }
 
+    bool isJSFunction() const {
+        return this == js::FunctionClassPtr;
+    }
+
     bool isCallable() const {
-        return this == js::FunctionClassPtr || call;
+        return isJSFunction() || call;
     }
 
     bool isProxy() const {
         return flags & JSCLASS_IS_PROXY;
     }
 
     bool isDOMClass() const {
         return flags & JSCLASS_IS_DOMJSCLASS;
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -539,16 +539,20 @@ JSObject::create(js::ExclusiveContext *c
 
     if (clasp->hasPrivate())
         obj->privateRef(shape->numFixedSlots()) = nullptr;
 
     size_t span = shape->slotSpan();
     if (span)
         obj->initializeSlotRange(0, span);
 
+    // JSFunction's fixed slots expect POD-style initialization.
+    if (type->clasp()->isJSFunction())
+        memset(obj->fixedSlots(), 0, sizeof(js::HeapSlot) * GetGCKindSlots(kind));
+
     js::gc::TraceCreateObject(obj);
 
     return obj;
 }
 
 /* static */ inline js::ArrayObject *
 JSObject::createArray(js::ExclusiveContext *cx, js::gc::AllocKind kind, js::gc::InitialHeap heap,
                       js::HandleShape shape, js::HandleTypeObject type,