From d2a65179177e22e90668f5d8d80063b88482867a Mon Sep 17 00:00:00 2001
From: "brendan@mozilla.org" <brendan@mozilla.org>
Date: Wed, 13 Feb 2008 19:12:44 -0800
Subject: [PATCH] Must set initial slot value in js_DefineNativeProperty via
 write barrier (417012, r=shaver).

---
 js/src/jsobj.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/js/src/jsobj.c b/js/src/jsobj.c
index 68a6d0c8cdd0..4e9ffd6f7fa0 100644
--- a/js/src/jsobj.c
+++ b/js/src/jsobj.c
@@ -2958,7 +2958,7 @@ js_DefineProperty(JSContext *cx, JSObject *obj, jsid id, jsval value,
             }                                                                 \
             if (*(vp) != nominal_) {                                          \
                 if (SPROP_HAS_VALID_SLOT(sprop, scope))                       \
-                    LOCKED_OBJ_SET_SLOT(obj, (sprop)->slot, *(vp));           \
+                    LOCKED_OBJ_WRITE_BARRIER(cx, obj, (sprop)->slot, *(vp));  \
             }                                                                 \
         }                                                                     \
     JS_END_MACRO
@@ -3053,7 +3053,7 @@ js_DefineNativeProperty(JSContext *cx, JSObject *obj, jsid id, jsval value,
 
     /* Store value before calling addProperty, in case the latter GC's. */
     if (SPROP_HAS_VALID_SLOT(sprop, scope))
-        LOCKED_OBJ_SET_SLOT(obj, sprop->slot, value);
+        LOCKED_OBJ_WRITE_BARRIER(cx, obj, sprop->slot, value);
 
     /* XXXbe called with lock held */
     ADD_PROPERTY_HELPER(cx, clasp, obj, scope, sprop, &value,