corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 714616: fix write barrier in Array.shift, r=billm

Browse Source
This commit is contained in:
David Mandelin
2012-01-30 17:13:07 -08:00
parent b9455f49eb
commit 245953b14d
4 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
js/src/jsarray.cpp
View File

@@ -2506,7 +2506,7 @@ mjit::stubs::ArrayShift(VMFrame &f)
* themselves.
*/
uint32_t initlen = obj->getDenseArrayInitializedLength();
obj->moveDenseArrayElements(0, 1, initlen);
obj->moveDenseArrayElementsUnbarriered(0, 1, initlen);
}
#endif /* JS_METHODJIT */
@@ -2533,7 +2533,7 @@ js::array_shift(JSContext *cx, uintN argc, Value *vp)
args.rval() = obj->getDenseArrayElement(0);
if (args.rval().isMagic(JS_ARRAY_HOLE))
args.rval().setUndefined();
obj->moveDenseArrayElements(0, 1, length);
obj->moveDenseArrayElements(0, 1, obj->getDenseArrayInitializedLength() - 1);
obj->setDenseArrayInitializedLength(obj->getDenseArrayInitializedLength() - 1);
obj->setArrayLength(cx, length);
if (!js_SuppressDeletedProperty(cx, obj, INT_TO_JSID(length)))