Fix screwed up layering of GC marking for JSObject::emptyShape (596103, r=jorendorff).

js/src/jsgc.cpp

@@ -1638,10 +1638,16 @@ JS_TraceChildren(JSTracer *trc, void *thing, uint32 kind)
         JSObject *obj = (JSObject *) thing;
         if (!obj->map)
             break;
+
+        /* Trace universal (ops-independent) members. */
         if (JSObject *proto = obj->getProto())
             JS_CALL_OBJECT_TRACER(trc, proto, "proto");
         if (JSObject *parent = obj->getParent())
             JS_CALL_OBJECT_TRACER(trc, parent, "parent");
+        if (obj->emptyShape)
+            obj->emptyShape->trace(trc);
+
+        /* Delegate to ops or the native marking op. */
         JSTraceOp op = obj->getOps()->trace;
         (op ? op : js_TraceObject)(trc, obj);
         break;

js/src/jsscope.h

@@ -414,6 +414,9 @@ struct Shape : public JSObjectMap
     }
 
     void insertFree(js::Shape **freep) {
+#ifdef DEBUG
+        memset(this, JS_FREE_PATTERN, sizeof *this);
+#endif
         id = JSID_VOID;
         parent = *freep;
         if (parent)

js/src/jsscopeinlines.h

@@ -108,9 +108,6 @@ JSObject::extend(JSContext *cx, const js::Shape *shape, bool isDefinitelyAtom)
 inline void
 JSObject::trace(JSTracer *trc)
 {
-    if (emptyShape)
-        emptyShape->trace(trc);
-
     if (!isNative())
         return;
 

js/src/tests/js1_8_5/regress/jstests.list

@@ -34,3 +34,4 @@ script regress-592556-c35.js
 script regress-593256.js
 script regress-595365-1.js
 fails-if(!xulRuntime.shell) script regress-595365-2.js
+script regress-596103.js

js/src/tests/js1_8_5/regress/regress-596103.js

@@ -0,0 +1,13 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/licenses/publicdomain/
+// Contributor: Gary Kwong <gary@rumblingedge.com>, Jesse Ruderman <jruderman@gmail.com>
+
+for (var u = 0; u < 3; ++u) {
+    var y = [];
+    Object.create(y);
+    gc();
+    y.t = 3;
+    gc();
+}
+
+reportCompare(0, 0, 'ok');