From 6391fbb73e25d3f7af15213274c2a3bfe1bc7af5 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 17 Jun 2024 11:04:05 +0200 Subject: Merging upstream version 115.12.0esr. Signed-off-by: Daniel Baumann --- js/src/vm/JSObject.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'js/src/vm') diff --git a/js/src/vm/JSObject.cpp b/js/src/vm/JSObject.cpp index 292971cf3e..4398725fde 100644 --- a/js/src/vm/JSObject.cpp +++ b/js/src/vm/JSObject.cpp @@ -1221,6 +1221,10 @@ void JSObject::swap(JSContext* cx, HandleObject a, HandleObject b, MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(a)); MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(b)); + // Don't allow a GC which may observe intermediate state or run before we + // execute all necessary barriers. + gc::AutoSuppressGC nogc(cx); + if (!Watchtower::watchObjectSwap(cx, a, b)) { oomUnsafe.crash("watchObjectSwap"); } @@ -1311,10 +1315,6 @@ void JSObject::swap(JSContext* cx, HandleObject a, HandleObject b, a->as().setInlineValueArray(); } } else { - // Avoid GC in here to avoid confusing the tracing code with our - // intermediate state. - gc::AutoSuppressGC suppress(cx); - // When the objects have different sizes, they will have different numbers // of fixed slots before and after the swap, so the slots for native objects // will need to be rearranged. Remember the original values from the -- cgit v1.2.3