Bug 1538006 - Propagate unknownProperties when changing prototype. r=jandem, a=dveditz
authorTed Campbell <tcampbell@mozilla.com>
Thu, 21 Mar 2019 22:36:46 +0000
changeset 525666 5aa32b11aaac804cd226e5a00f071f1d5f621ba0
parent 525665 28911550fa180deca742bc66c9b2b1f2b47b636a
child 525667 77536919b1210dcee2e3d72416108210bd9a10c8
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, dveditz
bugs1538006
milestone67.0
Bug 1538006 - Propagate unknownProperties when changing prototype. r=jandem, a=dveditz Differential Revision: https://phabricator.services.mozilla.com/D24446
js/src/vm/NativeObject.cpp
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -1263,22 +1263,25 @@ static MOZ_ALWAYS_INLINE void UpdateShap
 }
 
 void js::AddPropertyTypesAfterProtoChange(JSContext* cx, NativeObject* obj,
                                           ObjectGroup* oldGroup) {
   AutoSweepObjectGroup sweepObjGroup(obj->group());
   MOZ_ASSERT(obj->group() != oldGroup);
   MOZ_ASSERT(!obj->group()->unknownProperties(sweepObjGroup));
 
+  AutoSweepObjectGroup sweepOldGroup(oldGroup);
+  if (oldGroup->unknownProperties(sweepOldGroup)) {
+    MarkObjectGroupUnknownProperties(cx, obj->group());
+    return;
+  }
+
   // First copy the dynamic flags.
-  AutoSweepObjectGroup sweepOldGroup(oldGroup);
   MarkObjectGroupFlags(
-      cx, obj,
-      oldGroup->flags(sweepOldGroup) &
-          (OBJECT_FLAG_DYNAMIC_MASK & ~OBJECT_FLAG_UNKNOWN_PROPERTIES));
+      cx, obj, oldGroup->flags(sweepOldGroup) & OBJECT_FLAG_DYNAMIC_MASK);
 
   // Now update all property types. If the object has many properties, this
   // function may be slow so we mark all properties as unknown.
   static const size_t MaxPropertyCount = 40;
 
   size_t nprops = obj->getDenseInitializedLength();
   if (nprops > MaxPropertyCount) {
     MarkObjectGroupUnknownProperties(cx, obj->group());