From e9004db372227970f4615e0caab3a6c839c00ff7 Mon Sep 17 00:00:00 2001 From: Fedor Date: Thu, 16 Jul 2020 03:57:14 +0300 Subject: [PATCH] [js] Get the class pointer from the ObjectGroup... --- js/src/vm/NativeObject.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/js/src/vm/NativeObject.h b/js/src/vm/NativeObject.h index 3a3e50244..e9c59ff7c 100644 --- a/js/src/vm/NativeObject.h +++ b/js/src/vm/NativeObject.h @@ -646,7 +646,10 @@ class NativeObject : public ShapedObject uint32_t slotSpan() const { if (inDictionaryMode()) return lastProperty()->base()->slotSpan(); - return lastProperty()->slotSpan(); + + // Get the class from the object group rather than the base shape to avoid a + // race between Shape::ensureOwnBaseShape and background sweeping. + return lastProperty()->slotSpan(getClass()); } /* Whether a slot is at a fixed offset from this object. */