vendor/spidermonkey/jsscope.c in jbarnette-johnson-1.0.0.20090326161333 vs vendor/spidermonkey/jsscope.c in jbarnette-johnson-1.0.0.20090402144841
- old
+ new
@@ -807,10 +807,11 @@
JSDHashTable *table;
JSPropertyTreeEntry *entry;
JSScopeProperty *sprop;
PropTreeKidsChunk *chunk;
uintN i, n;
+ uint32 shape;
rt = cx->runtime;
if (!parent) {
JS_LOCK_GC(rt);
@@ -893,10 +894,16 @@
not_found:
JS_LOCK_GC(rt);
}
locked_not_found:
+ /*
+ * Call js_GenerateShape before the allocation to prevent collecting the
+ * new property when the shape generation triggers the GC.
+ */
+ shape = js_GenerateShape(cx, JS_TRUE, NULL);
+
sprop = NewScopeProperty(rt);
if (!sprop)
goto out_of_memory;
sprop->id = child->id;
@@ -905,11 +912,11 @@
sprop->slot = child->slot;
sprop->attrs = child->attrs;
sprop->flags = child->flags;
sprop->shortid = child->shortid;
sprop->parent = sprop->kids = NULL;
- sprop->shape = js_GenerateShape(cx, JS_TRUE);
+ sprop->shape = shape;
if (!parent) {
entry->child = sprop;
} else {
if (!InsertPropertyTreeChild(rt, parent, sprop, NULL))
@@ -1254,12 +1261,14 @@
* setter to js_watch_set.
* XXXbe this could get expensive with lots of watchpoints...
*/
if (!JS_CLIST_IS_EMPTY(&cx->runtime->watchPointList) &&
js_FindWatchPoint(cx->runtime, scope, id)) {
- JS_PUSH_TEMP_ROOT_SPROP(cx, overwriting, &tvr);
+ if (overwriting)
+ JS_PUSH_TEMP_ROOT_SPROP(cx, overwriting, &tvr);
setter = js_WrapWatchedSetter(cx, id, attrs, setter);
- JS_POP_TEMP_ROOT(cx, &tvr);
+ if (overwriting)
+ JS_POP_TEMP_ROOT(cx, &tvr);
if (!setter)
goto fail_overwrite;
}
/* Find or create a property tree node labeled by our arguments. */