JavaScriptCore-1218.33.tar.gz

[apple/javascriptcore.git] / runtime / Structure.cpp

diff --git a/runtime/Structure.cpp b/runtime/Structure.cpp
index f551eaeccc9ec4926aa1f71116fc41295669373e..950728cca637b3be41582820e6c7f023dcbb3dbe 100644 (file)
--- a/runtime/Structure.cpp
+++ b/runtime/Structure.cpp
@@ -649,6 +649,12 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
     }
 
     m_dictionaryKind = NoneDictionaryKind;
+
+    // If the object had a Butterfly but after flattening/compacting we no longer have need of it,
+    // we need to zero it out because the collector depends on the Structure to know the size for copying.
+    if (object->butterfly() && !this->outOfLineCapacity() && !hasIndexingHeader(this->indexingType()))
+        object->setButterfly(vm, 0, this);
+
     return this;
 }