Bug 1296249 - Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357. r=jandem
☠☠ backed out by afd6ad990dd4 ☠ ☠
authorSander Mathijs van Veen <smvv@kompiler.org>
Tue, 13 Sep 2016 17:22:51 -0400
changeset 313753 e2bca303ae69caecec7d91396b8a04be9922e0fa
parent 313752 8f0df87ccf9c1b783d449bda9ee5d74a344432fb
child 313754 32fb14de50feb0a1334c75a79ebab6fe7d9b3db5
push id30697
push usercbook@mozilla.com
push dateWed, 14 Sep 2016 10:04:12 +0000
treeherdermozilla-central@de96dcebba86 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1296249
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296249 - Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357. r=jandem
js/src/jit-test/tests/basic/bug1296249.js
js/src/jit/MacroAssembler.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1296249.js
@@ -0,0 +1,10 @@
+function f(x) {
+    new Int32Array(x);
+}
+f(0);
+try {
+    f(2147483647);
+} catch(e) {
+    assertEq(e instanceof InternalError, true,
+             "expected InternalError, instead threw: " + e);
+}
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -1057,16 +1057,22 @@ AllocateObjectBufferWithInit(JSContext* 
             return; \
         break;
 JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPED_ARRAY)
 #undef CREATE_TYPED_ARRAY
       default:
         MOZ_CRASH("Unsupported TypedArray type");
     }
 
+    // Prevent an overflow caused by the JS_ROUNDUP since |allocateBuffer|
+    // converts |nbytes| of type size_t to uint32_t. The value for |nbytes| will
+    // truncate to zero when |new Int32Array(2147483647)| is used.
+    if (nbytes >= TypedArrayObject::SINGLETON_BYTE_LENGTH)
+        return;
+
     nbytes = JS_ROUNDUP(nbytes, sizeof(Value));
     Nursery& nursery = cx->runtime()->gc.nursery;
     void* buf = nursery.allocateBuffer(obj, nbytes);
     if (buf) {
         obj->initPrivate(buf);
         memset(buf, 0, nbytes);
     }
 }