blob: 3d862aa510cda5e77c2404f807c5b7c125354e60 (
plain) (
tree)
|
|
commit a4d70f676839
Author: Jan de Mooij <jdemooij@mozilla.com>
Date: Wed Nov 29 16:03:12 2017 +0100
Bug 1415883 - Fix some issues in ShiftFromList. r=arai, a=abillings
--HG--
extra : source : 2467d71d0e0de20103ce61cdd221461a48e4591b
---
js/src/vm/List-inl.h | 4 ++--
js/src/vm/NativeObject.cpp | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git js/src/builtin/Stream.cpp js/src/builtin/Stream.cpp
index e53f811a02e1..28cafd6c06d6 100644
--- js/src/builtin/Stream.cpp
+++ js/src/builtin/Stream.cpp
@@ -357,11 +357,11 @@ ShiftFromList(JSContext* cx, HandleNativeObject list)
Rooted<T*> entry(cx, &list->getDenseElement(0).toObject().as<T>());
if (!list->tryShiftDenseElements(1)) {
list->moveDenseElements(0, 1, length - 1);
+ list->setDenseInitializedLength(length - 1);
list->shrinkElements(cx, length - 1);
}
- list->setDenseInitializedLength(length - 1);
-
+ MOZ_ASSERT(list->getDenseInitializedLength() == length - 1);
return entry;
}
diff --git js/src/vm/NativeObject.cpp js/src/vm/NativeObject.cpp
index 780bc74192dc..deab37154af2 100644
--- js/src/vm/NativeObject.cpp
+++ js/src/vm/NativeObject.cpp
@@ -1000,6 +1000,8 @@ void
NativeObject::shrinkElements(JSContext* cx, uint32_t reqCapacity)
{
MOZ_ASSERT(canHaveNonEmptyElements());
+ MOZ_ASSERT(reqCapacity >= getDenseInitializedLength());
+
if (denseElementsAreCopyOnWrite())
MOZ_CRASH();
|
