From 2f644b6b1bc3e15303a2bfba31bea5131a438232 Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@mozilla.com>
Date: Thu, 8 Dec 2011 17:46:39 -0800
Subject: [PATCH] Cap objects to a saner memory limit (bug 705855,
 r=dmandelin).

--HG--
extra : rebase_source : 551bbcee86d617f3a55a0a3274083ae54af4b294
---
 js/src/jsobj.cpp | 2 ++
 js/src/jsobj.h   | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 12baf48d20c..cedfbacada9 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -117,6 +117,8 @@ using namespace js;
 using namespace js::gc;
 using namespace js::types;
 
+JS_STATIC_ASSERT(int32((JSObject::NELEMENTS_LIMIT - 1) * sizeof(Value)) == int64((JSObject::NELEMENTS_LIMIT - 1) * sizeof(Value)));
+
 Class js::ObjectClass = {
     js_Object_str,
     JSCLASS_HAS_CACHED_PROTO(JSProto_Object),
diff --git a/js/src/jsobj.h b/js/src/jsobj.h
index d223d78c697..67be223b9b7 100644
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@@ -531,7 +531,7 @@ struct JSObject : js::gc::Cell
     inline bool nativeContains(JSContext *cx, const js::Shape &shape);
 
     /* Upper bound on the number of elements in an object. */
-    static const uint32 NELEMENTS_LIMIT = JS_BIT(29);
+    static const uint32 NELEMENTS_LIMIT = JS_BIT(28);
 
   private:
     js::HeapValue   *slots;     /* Slots for object properties. */