From 68cfb28171080b65b7b53f043e334dc10cb74e31 Mon Sep 17 00:00:00 2001 From: Brian Hackett Date: Thu, 29 Jan 2015 11:50:43 -0700 Subject: [PATCH] Bug 1125389 - Fix NewReshapedObject to use the old shape's data, r=jandem. --- js/src/jsinfer.cpp | 7 ++++++- js/src/vm/Shape.cpp | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp index a7c1faef0148..81d1e91af616 100644 --- a/js/src/jsinfer.cpp +++ b/js/src/jsinfer.cpp @@ -4046,8 +4046,13 @@ TypeNewScript::maybeAnalyze(JSContext *cx, TypeObject *type, bool *regenerate, b // For now, we require all preliminary objects to have only simple // lineages of plain data properties. Shape *shape = obj->lastProperty(); - if (shape->inDictionary() || !OnlyHasDataProperties(shape)) + if (shape->inDictionary() || + !OnlyHasDataProperties(shape) || + shape->getObjectFlags() != 0 || + shape->getObjectMetadata() != nullptr) + { return true; + } maxSlotSpan = Max(maxSlotSpan, obj->slotSpan()); diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp index aa97b973906a..c21101d48f42 100644 --- a/js/src/vm/Shape.cpp +++ b/js/src/vm/Shape.cpp @@ -640,7 +640,12 @@ js::NewReshapedObject(JSContext *cx, HandleTypeObject type, JSObject *parent, /* Construct the new shape, without updating type information. */ RootedId id(cx); - RootedShape newShape(cx, res->lastProperty()); + RootedShape newShape(cx, EmptyShape::getInitialShape(cx, res->getClass(), + res->getTaggedProto(), + res->getMetadata(), + res->getParent(), + res->numFixedSlots(), + shape->getObjectFlags())); for (unsigned i = 0; i < ids.length(); i++) { id = ids[i]; MOZ_ASSERT(!res->contains(cx, id));