Bug 519363: instrumentation to check for shape overflow on crash object, r=lw

2009-10-26 13:36:02 -07:00 · 2009-10-26 13:36:02 -07:00 · b45e75a32b
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -2169,7 +2169,7 @@ InitScopeForObject(JSContext* cx, JSObject* obj, JSObject* proto, JSObjectOps* o
        if (!scope)
            goto bad;
        if (!DSLOTS_IS_NOT_NULL(obj))
-            DSLOTS_BUMP(obj);
+            DSLOTS_BUMP_1(obj);
    } else {
        scope = JSScope::create(cx, ops, clasp, obj, js_GenerateShape(cx, false));
        if (!scope)
--- a/js/src/jsops.cpp
+++ b/js/src/jsops.cpp
@ -1522,6 +1522,10 @@ BEGIN_CASE(JSOP_GETXPROP)
                } else if (PCVAL_IS_SLOT(entry->vword)) {
                    slot = PCVAL_TO_SLOT(entry->vword);
                    JS_ASSERT(slot < OBJ_SCOPE(obj2)->freeslot);
+                    if (!DSLOTS_IS_NOT_NULL(obj2) &&
+                        OBJ_SHAPE(obj2) >= SHAPE_OVERFLOW_BIT) {
+                        DSLOTS_BUMP_2(obj2);
+                    }
                    rval = LOCKED_OBJ_GET_SLOT(obj2, slot);
                } else {
                    JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
--- a/js/src/jsprvtd.h
+++ b/js/src/jsprvtd.h
@ -387,6 +387,7 @@ extern JSBool js_CStringsAreUTF8;

 #define DSLOTS_IS_NOT_NULL(obj)           (uintptr_t(obj->dslots) >= DSLOTS_NULL_LIMIT)
 #define DSLOTS_NORMALIZE(obj) (DSLOTS_IS_NOT_NULL(obj) ? (obj)->dslots : NULL)
-#define DSLOTS_BUMP(obj)      (obj->dslots = (jsval*) (uintptr_t((obj)->dslots) | (1 << (DSLOTS_NULL_SHIFT-1))))
+#define DSLOTS_BUMP_1(obj)      (obj->dslots = (jsval*) (uintptr_t((obj)->dslots) | (1 << (DSLOTS_NULL_SHIFT-1))))
+#define DSLOTS_BUMP_2(obj)      (obj->dslots = (jsval*) (uintptr_t((obj)->dslots) | (1 << (DSLOTS_NULL_SHIFT-2))))

 #endif /* jsprvtd_h___ */