Bug 1415883 - Fix some issues in ShiftFromList. r=arai, a=abillings
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 29 Nov 2017 16:03:12 +0100
changeset 445080 701bfdada7176ea0d4240e6e68ee00fd3dcb39ff
parent 445079 f75ad2573f47bd015deace0080fe31fca27ab173
child 445081 506e051acf71378dcafc7737df40ab7751c63748
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersarai, abillings
bugs1415883
milestone58.0
Bug 1415883 - Fix some issues in ShiftFromList. r=arai, a=abillings
js/src/vm/List-inl.h
js/src/vm/NativeObject.cpp
--- a/js/src/vm/List-inl.h
+++ b/js/src/vm/List-inl.h
@@ -51,19 +51,19 @@ inline MOZ_MUST_USE T*
 ShiftFromList(JSContext* cx, HandleNativeObject list)
 {
     uint32_t length = list->getDenseInitializedLength();
     MOZ_ASSERT(length > 0);
 
     Rooted<T*> entry(cx, &list->getDenseElement(0).toObject().as<T>());
     if (!list->tryShiftDenseElements(1)) {
         list->moveDenseElements(0, 1, length - 1);
+        list->setDenseInitializedLength(length - 1);
         list->shrinkElements(cx, length - 1);
     }
 
-    list->setDenseInitializedLength(length - 1);
-
+    MOZ_ASSERT(list->getDenseInitializedLength() == length - 1);
     return entry;
 }
 
 } /* namespace js */
 
 #endif /* vm_List_inl_h */
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -991,16 +991,18 @@ NativeObject::growElements(JSContext* cx
 
     return true;
 }
 
 void
 NativeObject::shrinkElements(JSContext* cx, uint32_t reqCapacity)
 {
     MOZ_ASSERT(canHaveNonEmptyElements());
+    MOZ_ASSERT(reqCapacity >= getDenseInitializedLength());
+
     if (denseElementsAreCopyOnWrite())
         MOZ_CRASH();
 
     if (!hasDynamicElements())
         return;
 
     // If we have shifted elements, consider moving them.
     uint32_t numShifted = getElementsHeader()->numShiftedElements();