Bug 1105232 - Fix race condition updating copy-on-write array owner pointer in compacting GC r=terrence

2024-09-13 09:24:08 -07:00 · 2014-12-01 06:05:41 -08:00 · 2014-12-01 06:05:41 -08:00 · a32fe4c0ad
commit a32fe4c0ad
parent 3665e05348
1 changed files with 1 additions and 2 deletions
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -2769,8 +2769,7 @@ JSObject::fixupAfterMovingGC()
        ObjectElements *header = as<NativeObject>().getElementsHeader();
        if (header->isCopyOnWrite()) {
            HeapPtrNativeObject &owner = header->ownerObject();
-            if (IsForwarded(owner.get()))
-                owner = Forwarded(owner.get());
+            owner = MaybeForwarded(owner.get());
            as<NativeObject>().elements_ = owner->getElementsHeader()->elements();
        }
    }