Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3fdd280fa099 # HG changeset patch # User Carsten "Tomcat" Book # Date 1461123938 -7200 # Node ID 3fdd280fa099b6453ce9fd9905af883bc2ebce24 # Parent 52dfdd37150d62f708dc5bf61dd28f3967596788 Bug 1252707 - a=sylvestre diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp --- a/js/src/vm/Shape.cpp +++ b/js/src/vm/Shape.cpp @@ -382,18 +382,20 @@ NativeObject::getChildPropertyOnDictiona if (obj->inDictionaryMode()) { MOZ_ASSERT(parent == obj->lastProperty()); RootedGeneric childRoot(cx, &child); shape = childRoot->isAccessorShape() ? NewGCAccessorShape(cx) : NewGCShape(cx); if (!shape) return nullptr; if (childRoot->hasSlot() && childRoot->slot() >= obj->lastProperty()->base()->slotSpan()) { - if (!obj->setSlotSpan(cx, childRoot->slot() + 1)) + if (!obj->setSlotSpan(cx, childRoot->slot() + 1)) { + new (shape) Shape(obj->lastProperty()->base()->unowned(), 0); return nullptr; + } } shape->initDictionaryShape(*childRoot, obj->numFixedSlots(), &obj->shape_); } return shape; } /* static */ Shape*