From 69d5d1e702024e584536c88a5d604889c5bcd14d Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Fri, 23 Feb 2018 13:25:53 -0500
Subject: Bug 1437507 - Fix JSObject::setFlags to call ensureShape before
 checking for dictionary mode. r=jandem, a=RyanVM

--HG--
extra : source : ca6b74831ec3db204e024b07f200b0d1ce93557e
extra : intermediate-source : 9d7c295d9570e294851908465f56ec0779547d2a
---
 js/src/vm/Shape.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
index a64dc529a..306a2c540 100644
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -1214,6 +1214,10 @@ JSObject::setFlags(ExclusiveContext* cx, BaseShape::Flag flags, GenerateShape ge
 
     RootedObject self(cx, this);
 
+    Shape* existingShape = self->ensureShape(cx);
+    if (!existingShape)
+        return false;
+
     if (isNative() && as<NativeObject>().inDictionaryMode()) {
         if (generateShape == GENERATE_SHAPE && !as<NativeObject>().generateOwnShape(cx))
             return false;
@@ -1227,10 +1231,6 @@ JSObject::setFlags(ExclusiveContext* cx, BaseShape::Flag flags, GenerateShape ge
         return true;
     }
 
-    Shape* existingShape = self->ensureShape(cx);
-    if (!existingShape)
-        return false;
-
     Shape* newShape = Shape::setObjectFlags(cx, flags, self->taggedProto(), existingShape);
     if (!newShape)
         return false;
-- 
cgit v1.2.3