Bug 1231926 - add assertions on BYTEOFFSET_SLOT. r=waldo
authorLars T Hansen <lhansen@mozilla.com>
Thu, 24 Mar 2016 17:11:10 +0100
changeset 291508 fa65591762ba7c70848462228de0fbc2dd61672c
parent 291507 df3ddeee164770c7abf6448a38b72dbf70adec8a
child 291509 88688664f228ff07d20d623c701a49dac9226f12
push id19656
push usergwagner@mozilla.com
push dateMon, 04 Apr 2016 13:43:23 +0000
treeherderb2g-inbound@e99061fde28a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswaldo
bugs1231926
milestone48.0a1
Bug 1231926 - add assertions on BYTEOFFSET_SLOT. r=waldo
js/src/vm/ArrayBufferObject.cpp
js/src/vm/TypedArrayObject.h
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -1012,16 +1012,17 @@ ArrayBufferViewObject::trace(JSTracer* t
     TraceEdge(trc, &bufSlot, "typedarray.buffer");
 
     // Update obj's data pointer if it moved.
     if (bufSlot.isObject()) {
         if (IsArrayBuffer(&bufSlot.toObject())) {
             ArrayBufferObject& buf = AsArrayBuffer(MaybeForwarded(&bufSlot.toObject()));
             uint32_t offset = uint32_t(obj->getFixedSlot(TypedArrayObject::BYTEOFFSET_SLOT).toInt32());
             MOZ_ASSERT(buf.dataPointer() != nullptr);
+            MOZ_ASSERT(offset <= INT32_MAX);
 
             if (buf.forInlineTypedObject()) {
                 // The data is inline with an InlineTypedObject associated with the
                 // buffer. Get a new address for the typed object if it moved.
                 JSObject* view = buf.firstView();
 
                 // Mark the object to move it into the tenured space.
                 TraceManuallyBarrieredEdge(trc, &view, "typed array nursery owner");
--- a/js/src/vm/TypedArrayObject.h
+++ b/js/src/vm/TypedArrayObject.h
@@ -115,17 +115,19 @@ class TypedArrayObject : public NativeOb
 
     inline Scalar::Type type() const;
     inline size_t bytesPerElement() const;
 
     static Value bufferValue(TypedArrayObject* tarr) {
         return tarr->getFixedSlot(BUFFER_SLOT);
     }
     static Value byteOffsetValue(TypedArrayObject* tarr) {
-        return tarr->getFixedSlot(BYTEOFFSET_SLOT);
+        Value v = tarr->getFixedSlot(BYTEOFFSET_SLOT);
+        MOZ_ASSERT(v.toInt32() >= 0);
+        return v;
     }
     static Value byteLengthValue(TypedArrayObject* tarr) {
         return Int32Value(tarr->getFixedSlot(LENGTH_SLOT).toInt32() * tarr->bytesPerElement());
     }
     static Value lengthValue(TypedArrayObject* tarr) {
         return tarr->getFixedSlot(LENGTH_SLOT);
     }