From 8039b8bc2c440d9e1fa281280e80bd6619fd3d8f Mon Sep 17 00:00:00 2001
From: Terrence Cole <terrence@mozilla.com>
Date: Thu, 1 Aug 2013 13:18:44 -0700
Subject: [PATCH] Bug 900405 - Fix an incorrect assertion and missing check for
 minor GC; r=billm

---
 js/src/gc/Nursery.cpp                  | 2 +-
 js/src/jit-test/tests/gc/bug-900405.js | 3 +++
 js/src/jsobjinlines.h                  | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/gc/bug-900405.js

diff --git a/js/src/gc/Nursery.cpp b/js/src/gc/Nursery.cpp
index 1b7e2107de0..d9984f04034 100644
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -508,7 +508,7 @@ js::Nursery::moveElementsToTenured(JSObject *dst, JSObject *src, AllocKind dstKi
         return nslots * sizeof(HeapSlot);
     }
 
-    JS_ASSERT(nslots > 2);
+    JS_ASSERT(nslots >= 2);
     size_t nbytes = nslots * sizeof(HeapValue);
     dstHeader = static_cast<ObjectElements *>(zone->malloc_(nbytes));
     if (!dstHeader)
diff --git a/js/src/jit-test/tests/gc/bug-900405.js b/js/src/jit-test/tests/gc/bug-900405.js
new file mode 100644
index 00000000000..eeec6f25f18
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-900405.js
@@ -0,0 +1,3 @@
+(function() {
+    [{ "9": [] }.watch([], function(){})]
+})()
diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
index 4179152bacc..adda203e995 100644
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -587,7 +587,7 @@ JSObject::create(js::ExclusiveContext *cx, js::gc::AllocKind kind, js::gc::Initi
     }
 
 #ifdef JSGC_GENERATIONAL
-    if (heap != js::gc::TenuredHeap)
+    if (slots && heap != js::gc::TenuredHeap)
         cx->asJSContext()->runtime()->gcNursery.notifyInitialSlots(obj, slots);
 #endif