This is causing test failures on Mochitest-1 and Mochitest-other. I *think* this was introduced by bug 648321, objects a and b have different size. a is a proxy and b is a text node object.
Is object 'b' a non-native? TradeGuts should work the same on both proxies and other non-natives so that assertion could just be weakened (no assertions in this area of the code at all when made the change IIRC, and looking at immediate callers was not enlightening). Looking at this code again, this swap code from the bug 648321 patch is a total trainwreck. - The numbers of fixed slots are swapped along with everything else (worked back when fixed slots were determined from the arena). - We reuse the dynamic slots from the other object, but if that object had more fixed slots then the allocated size of its slots pointer will be smaller and we end up with buffer overflows (eeek!). - After the capacity stuff gets fixed, we also need to clear slots above the other object's numSlots() with undefined.
(In reply to comment #2) > Is object 'b' a non-native? js_DumpObject: object 0x1b4aa460 class 0x1c8c4cf4 Text flags: proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x1b4aa3b8> parent <HTMLDocument object at 0x1b4aa2d8> private 0x1c4ca120 reserved slots: 0 (reserved) = undefined properties:
If you fix stuff here please separate and land directly on TM.
These problems are with a patch that is up for review in bug 648321 and hasn't landed on TM yet. The implementation of TradeGuts in TM currently is I think fine, but 648321 changes how objects are laid out and had to change this function. I thought that at least when bug 584917 landed this situation wasn't possible (swap a non-native with a native outside of FixProxy), but it looks like that's changed. It shouldn't be hard to handle this case though, we just need to make sure that any native object whose guts are swapped with one of different size is reshaped afterwards.
This should fix things. http://hg.mozilla.org/projects/jaegermonkey/rev/425b3fcdbe41