From 2fe0d7c8909e58c5088e9bf03e06e81cf4e38d12 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Tue, 22 Nov 2011 18:21:10 -0500
Subject: [PATCH] Don't trigger write barrier when initializing private data of
 new objects, bug 704136.

---
 js/src/jsobjinlines.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
index 614f9b03273..18707eed8ec 100644
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -1054,7 +1054,7 @@ JSObject::create(JSContext *cx, js::gc::AllocKind kind,
     obj->elements = js::emptyObjectElements;
 
     if (shape->getObjectClass()->hasPrivate())
-        obj->setPrivate(NULL);
+        obj->privateRef(shape->numFixedSlots()) = NULL;
 
     if (size_t span = shape->slotSpan())
         obj->initializeSlotRange(0, span);