From 893df28e803e17e57444f3933adf55a03e746ebf Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sun, 20 Sep 2020 19:11:49 +0200
Subject: [PATCH] LibJS: Don't allocate property table during GC marking phase

Shape was allocating property tables inside visit_children(), which
could cause garbage collection to happen. It's not very good to start
a new garbage collection while you are in the middle of one already.
---
 Libraries/LibJS/Runtime/Shape.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/Libraries/LibJS/Runtime/Shape.cpp b/Libraries/LibJS/Runtime/Shape.cpp
index ecfb4b1145..bb763e225a 100644
--- a/Libraries/LibJS/Runtime/Shape.cpp
+++ b/Libraries/LibJS/Runtime/Shape.cpp
@@ -104,9 +104,10 @@ void Shape::visit_children(Cell::Visitor& visitor)
     for (auto& it : m_forward_transitions)
         visitor.visit(it.value);
 
-    ensure_property_table();
-    for (auto& it : *m_property_table)
-        it.key.visit_children(visitor);
+    if (m_property_table) {
+        for (auto& it : *m_property_table)
+            it.key.visit_children(visitor);
+    }
 }
 
 Optional<PropertyMetadata> Shape::lookup(const StringOrSymbol& property_name) const