diff options
| author | Moonchild <moonchild@palemoon.org> | 2020-07-10 16:15:00 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2020-07-10 18:34:43 +0000 |
| commit | 1597b61148692bbaa4194bcaea9823da140c51ab (patch) | |
| tree | 79e97c2c123a683d21a5a01661a4576716b04813 /js/src/vm/NativeObject.h | |
| parent | 694c5f889c519ef1647c482270632018fa31f58f (diff) | |
| download | UXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar UXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar.gz UXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar.lz UXP-1597b61148692bbaa4194bcaea9823da140c51ab.tar.xz UXP-1597b61148692bbaa4194bcaea9823da140c51ab.zip | |
[js] Get the class pointer from the ObjectGroup in NativeObject::slotSpan
This changes NativeObject::slotSpan() to get the class from the object group
rather than getting it from the base shape to avoid a race between
Shape::ensureOwnBaseShape and background sweeping.
Diffstat (limited to 'js/src/vm/NativeObject.h')
| -rw-r--r-- | js/src/vm/NativeObject.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/js/src/vm/NativeObject.h b/js/src/vm/NativeObject.h index 3a3e50244..e9c59ff7c 100644 --- a/js/src/vm/NativeObject.h +++ b/js/src/vm/NativeObject.h @@ -646,7 +646,10 @@ class NativeObject : public ShapedObject uint32_t slotSpan() const { if (inDictionaryMode()) return lastProperty()->base()->slotSpan(); - return lastProperty()->slotSpan(); + + // Get the class from the object group rather than the base shape to avoid a + // race between Shape::ensureOwnBaseShape and background sweeping. + return lastProperty()->slotSpan(getClass()); } /* Whether a slot is at a fixed offset from this object. */ |