Bug 969159 -- Adjust assertion to account for zero-sized objects r=shu
☠☠ backed out by 93f2c8487cf7 ☠ ☠
authorNicholas D. Matsakis <nmatsakis@mozilla.com>
Fri, 07 Feb 2014 13:48:35 -0500
changeset 167778 8a36e37f46edf302a6f50f39c650392b204c290e
parent 167777 66a052d05ddd78183c2c330b03fc706912417d84
child 167779 a3cddd4f926bda81bebe64d1c495ac5457eb9142
push id39540
push usernmatsakis@mozilla.com
push dateSun, 09 Feb 2014 20:27:21 +0000
treeherdermozilla-inbound@8a36e37f46ed [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu
bugs969159
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 969159 -- Adjust assertion to account for zero-sized objects r=shu
js/src/builtin/TypedObject.cpp
js/src/builtin/TypedObject.h
js/src/jit-test/tests/TypedObject/bug969159.js
--- a/js/src/builtin/TypedObject.cpp
+++ b/js/src/builtin/TypedObject.cpp
@@ -1336,16 +1336,17 @@ TypedDatum::attach(uint8_t *memory)
     setPrivate(memory);
     setReservedSlot(JS_DATUM_SLOT_OWNER, ObjectValue(*this));
 }
 
 void
 TypedDatum::attach(TypedDatum &datum, uint32_t offset)
 {
     JS_ASSERT(datum.getReservedSlot(JS_DATUM_SLOT_OWNER).isObject());
+    JS_ASSERT(offset + size() <= datum.size());
 
     // find the location in memory
     uint8_t *mem = datum.typedMem(offset);
 
     // find the owner, which is often but not always `datum`
     TypedDatum &owner = datum.owner();
 
     setPrivate(mem);
--- a/js/src/builtin/TypedObject.h
+++ b/js/src/builtin/TypedObject.h
@@ -511,17 +511,22 @@ class TypedDatum : public JSObject
 
           case TypeRepresentation::UnsizedArray:
             return typeRepr->asUnsizedArray()->element()->size() * length();
         }
         MOZ_ASSUME_UNREACHABLE("unhandled typerepresentation kind");
     }
 
     uint8_t *typedMem(size_t offset) const {
-        JS_ASSERT(offset < size());
+        // It seems a bit surprising that one might request an offset
+        // == size(), but it can happen when taking the "address of" a
+        // 0-sized value. (In other words, we maintain the invariant
+        // that `offset + size <= size()` -- this is always checked in
+        // the caller's side.)
+        JS_ASSERT(offset <= size());
         return typedMem() + offset;
     }
 };
 
 typedef Handle<TypedDatum*> HandleTypedDatum;
 
 class TypedObject : public TypedDatum
 {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/TypedObject/bug969159.js
@@ -0,0 +1,9 @@
+// Test access to a 0-sized element (in this case,
+// a zero-length array).
+
+if (!this.hasOwnProperty("TypedObject"))
+  quit();
+
+var AA = TypedObject.uint8.array(0.).array(5);
+var aa = new AA();
+var aa0 = aa[0];