summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2020-07-10 16:15:00 +0000
committerMoonchild <moonchild@palemoon.org>2020-07-10 18:34:43 +0000
commit1597b61148692bbaa4194bcaea9823da140c51ab (patch)
tree79e97c2c123a683d21a5a01661a4576716b04813
parent694c5f889c519ef1647c482270632018fa31f58f (diff)
downloadUXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar
UXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar.gz
UXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar.lz
UXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar.xz
UXP-1597b61148692bbaa4194bcaea9823da140c51ab.zip
[js] Get the class pointer from the ObjectGroup in NativeObject::slotSpan
This changes NativeObject::slotSpan() to get the class from the object group rather than getting it from the base shape to avoid a race between Shape::ensureOwnBaseShape and background sweeping.
-rw-r--r--js/src/vm/NativeObject.h5
1 files changed, 4 insertions, 1 deletions
diff --git a/js/src/vm/NativeObject.h b/js/src/vm/NativeObject.h
index 3a3e50244..e9c59ff7c 100644
--- a/js/src/vm/NativeObject.h
+++ b/js/src/vm/NativeObject.h
@@ -646,7 +646,10 @@ class NativeObject : public ShapedObject
uint32_t slotSpan() const {
if (inDictionaryMode())
return lastProperty()->base()->slotSpan();
- return lastProperty()->slotSpan();
+
+ // Get the class from the object group rather than the base shape to avoid a
+ // race between Shape::ensureOwnBaseShape and background sweeping.
+ return lastProperty()->slotSpan(getClass());
}
/* Whether a slot is at a fixed offset from this object. */