From 2a10e013ccdcbbe2d56896b07252f9f49e2745c2 Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Wed, 8 Oct 2014 08:32:28 +0100
Subject: [PATCH] Bug 1075546 r=terrence

---
 js/src/jit-test/tests/gc/bug-1075546.js | 30 +++++++++++++++++++++++++
 js/src/jsobj.cpp                        |  3 ++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-1075546.js

diff --git a/js/src/jit-test/tests/gc/bug-1075546.js b/js/src/jit-test/tests/gc/bug-1075546.js
new file mode 100644
index 00000000000..001e764ea1d
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1075546.js
@@ -0,0 +1,30 @@
+for (var i = 0; i < 200; ++i) {
+    Object.getOwnPropertyNames(undefined + "");
+}
+function p(s) {
+    for (var i = 0; i < s.length; i++) {
+        s.charCodeAt(i);
+    }
+}
+function m(f) {
+    var a = [];
+    for (var j = 0; j < 700; ++j) {
+        try {
+            f()
+        } catch (e) {
+            a.push(e.toString());
+        }
+    }
+    p(uneval(a));
+}
+f = Function("\
+    function f() {\
+        functionf\n{}\
+    }\
+    m(f);\
+");
+f();
+f();
+for (var x = 0; x < 99; x++) {
+    newGlobal()
+}
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 328f538f441..38b86a5aae2 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -1505,9 +1505,10 @@ js::NewObjectWithGivenProto(ExclusiveContext *cxArg, const js::Class *clasp,
                     parentArg = parent;
                     protoArg = proto;
                 }
+            } else {
+                gcNumber = rt->gc.gcNumber();
             }
         }
-        gcNumber = rt->gc.gcNumber();
     }
 
     Rooted<TaggedProto> proto(cxArg, protoArg);