fix bug 78428 by making sure to use the lesser of the freeslot or nslots value when marking slots. This is necessary because objects can now be in an initial state where the freeslots is a larger number than the nslots - and the actual number of slots in the array. sr=brendan r=beard a=drivers

git-svn-id: svn://10.0.0.236/trunk@96380 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/js/src/jsdbgapi.c

@@ -868,7 +868,7 @@ JS_GetPropertyDescArray(JSContext *cx, JSObject *obj, JSPropertyDescArray *pda)
         return JS_TRUE;
     }
 
-    n = scope->map.freeslot;
+    n = JS_MIN(scope->map.freeslot, scope->map.nslots);
     pd = (JSPropertyDesc *) JS_malloc(cx, (size_t)n * sizeof(JSPropertyDesc));
     if (!pd)
         return JS_FALSE;

mozilla/js/src/jsgc.c

@@ -819,7 +819,7 @@ js_MarkGCThing(JSContext *cx, void *thing, void *arg)
         }
         nslots = (obj->map->ops->mark)
                  ? obj->map->ops->mark(cx, obj, arg)
-                 : obj->map->freeslot;
+                 : JS_MIN(obj->map->freeslot, obj->map->nslots);
 #ifdef GC_MARK_DEBUG
         scope = OBJ_IS_NATIVE(obj) ? OBJ_SCOPE(obj) : NULL;
 #endif

mozilla/js/src/jsobj.c

@@ -1786,7 +1786,7 @@ js_AllocSlot(JSContext *cx, JSObject *obj, uint32 *slotp)
     JS_ASSERT(!MAP_IS_NATIVE(map) || ((JSScope *)map)->object == obj);
     nslots = map->nslots;
     if (map->freeslot >= nslots) {
-        nslots = JS_MAX(map->freeslot, nslots);
+        nslots = map->freeslot;
         JS_ASSERT(nslots >= JS_INITIAL_NSLOTS);
         nslots += (nslots + 1) / 2;
 
@@ -3463,7 +3463,7 @@ js_Mark(JSContext *cx, JSObject *obj, void *arg)
          */
         return (uint32) obj->slots[-1];
     }
-    return obj->map->freeslot;
+    return JS_MIN(obj->map->freeslot, obj->map->nslots);
 }
 
 void