corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[INFER] Root dense array elements during conversion to slow array, bug 649152.

Browse Source
This commit is contained in:
Brian Hackett
2011-04-24 07:56:56 -07:00
parent 0df8349c3d
commit 295d41c6d0
3 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
js/src/jsarray.cpp
View File

@@ -1114,6 +1114,12 @@ JSObject::makeDenseArraySlow(JSContext *cx)
capacity = numFixedSlots() + arrayCapacity;
clasp = &js_SlowArrayClass;
/*
* Root all values in the array during conversion, as SlowArrayClass only
* protects up to its slot span.
*/
AutoValueArray autoArray(cx, slots, arrayInitialized);
/* The initialized length is used iff this is a dense array. */
initializedLength = 0;
JS_ASSERT(newType == NULL);