Make Internal field usage in cfxjs_engine match README.doc

As it turns out, this doesn't cause any bugs with the FXJS/FXJSE
interaction since the magic values will never be present in the
other slot, but the code looks wrong wrt. the document.

Also fix an assert in FXJSE that our objects have two slots,
and null appropriately (just a defensive measure).

Also assert that one of our casts is valid.

Change-Id: I3146fe58350da5e9b76e711d81480565dabd587f
Reviewed-on: https://pdfium-review.googlesource.com/29859
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

1 files changed, 4 insertions, 4 deletions

diff --git a/fxjs/cfxjs_engine.cpp b/fxjs/cfxjs_engine.cpp
index 561a0a31f9..54aa28cf4b 100644
--- a/fxjs/cfxjs_engine.cpp
+++ b/fxjs/cfxjs_engine.cpp
@@ -93,20 +93,20 @@ class CFXJS_PerObjectData {
   static void SetInObject(CFXJS_PerObjectData* pData,
                           v8::Local<v8::Object> pObj) {
     if (pObj->InternalFieldCount() == 2) {
-      pObj->SetAlignedPointerInInternalField(0, pData);
       pObj->SetAlignedPointerInInternalField(
-          1, static_cast<void*>(kPerObjectDataTag));
+          0, static_cast<void*>(kPerObjectDataTag));
+      pObj->SetAlignedPointerInInternalField(1, pData);
     }
   }
 
   static CFXJS_PerObjectData* GetFromObject(v8::Local<v8::Object> pObj) {
     if (pObj.IsEmpty() || pObj->InternalFieldCount() != 2 ||
-        pObj->GetAlignedPointerFromInternalField(1) !=
+        pObj->GetAlignedPointerFromInternalField(0) !=
             static_cast<void*>(kPerObjectDataTag)) {
       return nullptr;
     }
     return static_cast<CFXJS_PerObjectData*>(
-        pObj->GetAlignedPointerFromInternalField(0));
+        pObj->GetAlignedPointerFromInternalField(1));
   }
 
   const int m_ObjDefID;