diff options
Diffstat (limited to 'Source/JavaScriptCore/runtime/Structure.cpp')
| -rw-r--r-- | Source/JavaScriptCore/runtime/Structure.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp index f551eaecc..950728cca 100644 --- a/Source/JavaScriptCore/runtime/Structure.cpp +++ b/Source/JavaScriptCore/runtime/Structure.cpp @@ -649,6 +649,12 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) } m_dictionaryKind = NoneDictionaryKind; + + // If the object had a Butterfly but after flattening/compacting we no longer have need of it, + // we need to zero it out because the collector depends on the Structure to know the size for copying. + if (object->butterfly() && !this->outOfLineCapacity() && !hasIndexingHeader(this->indexingType())) + object->setButterfly(vm, 0, this); + return this; } |