corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1108007 - Don't allow GC to observe uninitialized elements in cloned array r=nbp

Browse Source
This commit is contained in:
Jon Coppeard
2015-01-23 11:30:40 +00:00
parent 8d9902b8bc
commit 4dbf1f283e
2 changed files with 26 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
js/src/jsobj.cpp
View File

@@ -1789,12 +1789,8 @@ js::DeepCloneObjectLiteral(JSContext *cx, HandleNativeObject obj, NewObjectKind
if (!clone || !clone->ensureElements(cx, obj->getDenseCapacity()))
return nullptr;
// Copy the number of initialized elements.
uint32_t initialized = obj->getDenseInitializedLength();
if (initialized)
clone->setDenseInitializedLength(initialized);
// Recursive copy of dense element.
uint32_t initialized = obj->getDenseInitializedLength();
for (uint32_t i = 0; i < initialized; ++i) {
v = obj->getDenseElement(i);
if (v.isObject()) {
@@ -1806,6 +1802,7 @@ js::DeepCloneObjectLiteral(JSContext *cx, HandleNativeObject obj, NewObjectKind
}
v.setObject(*deepObj);
}
clone->setDenseInitializedLength(i + 1);
clone->initDenseElement(i, v);
}