Bug 867329 - Make JS_NewUint8Array and friends accept any uint32_t as length and throw if the length is too big -- not assert when it's too big. r=sfink
authorJeff Walden <jwalden@mit.edu>
Tue, 30 Apr 2013 18:15:15 -0700
changeset 130540 06962a458da3cae4b17a8a7d2b7470e3d289a9c0
parent 130539 dfd22ba01d720bf7023291713a298320835dfd38
child 130541 d894bdbe585641cc17f470d81e5f71f1fab9c105
push id1579
push userphilringnalda@gmail.com
push dateSat, 04 May 2013 04:38:04 +0000
treeherderfx-team@a56432a42a41 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs867329
milestone23.0a1
Bug 867329 - Make JS_NewUint8Array and friends accept any uint32_t as length and throw if the length is too big -- not assert when it's too big. r=sfink
js/src/jsapi-tests/testTypedArrays.cpp
js/src/jstypedarray.cpp
--- a/js/src/jsapi-tests/testTypedArrays.cpp
+++ b/js/src/jsapi-tests/testTypedArrays.cpp
@@ -54,16 +54,21 @@ BEGIN_TEST(testTypedArrays)
 }
 
 template<JSObject *Create(JSContext *, uint32_t),
          typename Element,
          Element *GetData(JSObject *)>
 bool
 TestPlainTypedArray(JSContext *cx)
 {
+    {
+        RootedObject notArray(cx, Create(cx, UINT32_MAX));
+        CHECK(!notArray);
+    }
+
     RootedObject array(cx, Create(cx, 7));
     CHECK(JS_IsTypedArrayObject(array));
     RootedObject proto(cx);
     JS_GetPrototype(cx, array, proto.address());
     CHECK(!JS_IsTypedArrayObject(proto));
     RootedObject dummy(cx, JS_GetParent(proto));
     CHECK(!JS_IsTypedArrayObject(dummy));
 
--- a/js/src/jstypedarray.cpp
+++ b/js/src/jstypedarray.cpp
@@ -2196,17 +2196,17 @@ class TypedArrayTemplate
             JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_TYPED_ARRAY_BAD_ARGS);
             return NULL; // boffset + len is too big for the arraybuffer
         }
 
         return makeInstance(cx, bufobj, boffset, len, proto);
     }
 
     static JSObject *
-    fromLength(JSContext *cx, int32_t nelements)
+    fromLength(JSContext *cx, uint32_t nelements)
     {
         RootedObject buffer(cx, createBufferWithSizeAndCount(cx, nelements));
         if (!buffer)
             return NULL;
         return makeInstance(cx, buffer, 0, nelements);
     }
 
     static JSObject *
@@ -3366,17 +3366,16 @@ const JSFunctionSpec _typedArray::jsfunc
     JS_FN("set", _typedArray::fun_set, 2, JSFUN_GENERIC_NATIVE),               \
     JS_FS_END                                                                  \
 }
 #endif
 
 #define IMPL_TYPED_ARRAY_JSAPI_CONSTRUCTORS(Name,NativeType)                                 \
   JS_FRIEND_API(JSObject *) JS_New ## Name ## Array(JSContext *cx, uint32_t nelements)       \
   {                                                                                          \
-      MOZ_ASSERT(nelements <= INT32_MAX);                                                    \
       return TypedArrayTemplate<NativeType>::fromLength(cx, nelements);                      \
   }                                                                                          \
   JS_FRIEND_API(JSObject *) JS_New ## Name ## ArrayFromArray(JSContext *cx, JSObject *other_)\
   {                                                                                          \
       Rooted<JSObject*> other(cx, other_);                                                   \
       return TypedArrayTemplate<NativeType>::fromArray(cx, other);                           \
   }                                                                                          \
   JS_FRIEND_API(JSObject *) JS_New ## Name ## ArrayWithBuffer(JSContext *cx,                 \