Bug 1082649 - Check for neutered typed objects before accessing their byte offset, r=nmatsakis.
authorBrian Hackett <bhackett1024@gmail.com>
Tue, 28 Oct 2014 18:56:27 -0700
changeset 212800 138f767ee2243f85845e7820f7d51bccb399805f
parent 212799 dbc962da0f1f4bf720f3d4e2801bf88ee83be419
child 212801 b51051e5ac2e56f0bbd27070f48fbd0fad4e5875
push id27730
push usercbook@mozilla.com
push dateWed, 29 Oct 2014 12:26:03 +0000
treeherdermozilla-central@fe5c1cb8075a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnmatsakis
bugs1082649
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1082649 - Check for neutered typed objects before accessing their byte offset, r=nmatsakis.
js/src/builtin/TypedObject.js
js/src/jit-test/tests/TypedObject/bug1082649.js
--- a/js/src/builtin/TypedObject.js
+++ b/js/src/builtin/TypedObject.js
@@ -551,16 +551,19 @@ function ArrayShorthand(...dims) {
 //
 // Warning: user exposed!
 function StorageOfTypedObject(obj) {
   if (IsObject(obj)) {
     if (ObjectIsOpaqueTypedObject(obj))
       return null;
 
     if (ObjectIsTransparentTypedObject(obj)) {
+      if (!TypedObjectIsAttached(obj))
+          ThrowError(JSMSG_TYPEDOBJECT_HANDLE_UNATTACHED);
+
       var descr = TypedObjectTypeDescr(obj);
       var byteLength;
       if (DESCR_KIND(descr) == JS_TYPEREPR_UNSIZED_ARRAY_KIND)
         byteLength = DESCR_SIZE(descr.elementType) * obj.length;
       else
         byteLength = DESCR_SIZE(descr);
 
       return { buffer: TypedObjectBuffer(obj),
@@ -1139,16 +1142,19 @@ function MapTypedParImplDepth1(inArray, 
          TypeDescrIsArrayType(inArrayType),
          "DoMapTypedParDepth1: invalid inArrayType");
   assert(IsObject(outArrayType) && ObjectIsTypeDescr(outArrayType) &&
          TypeDescrIsArrayType(outArrayType),
          "DoMapTypedParDepth1: invalid outArrayType");
   assert(IsObject(inArray) && ObjectIsTypedObject(inArray),
          "DoMapTypedParDepth1: invalid inArray");
 
+  if (!TypedObjectIsAttached(inArray))
+    ThrowError(JSMSG_TYPEDOBJECT_HANDLE_UNATTACHED);
+
   // Determine the grain types of the input and output.
   const inGrainType = inArrayType.elementType;
   const outGrainType = outArrayType.elementType;
   const inGrainTypeSize = DESCR_SIZE(inGrainType);
   const outGrainTypeSize = DESCR_SIZE(outGrainType);
   const inGrainTypeIsComplex = !TypeDescrIsSimpleType(inGrainType);
   const outGrainTypeIsComplex = !TypeDescrIsSimpleType(outGrainType);
 
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/TypedObject/bug1082649.js
@@ -0,0 +1,16 @@
+if (typeof TypedObject === "undefined")
+  quit();
+
+var {StructType, uint32, storage} = TypedObject;
+var S = new StructType({f: uint32, g: uint32});
+function main(variant) {
+  var s = new S({f: 22, g: 44});
+  neuter(storage(s).buffer, variant);
+  print(storage(s).byteOffset);
+}
+try {
+    main("same-data");
+    assertEq(true, false);
+} catch (e) {
+    assertEq(e instanceof TypeError, true);
+}