Bug 1330662 - IonMonkey: Don't check the size of a zero TypedArrayObject when not used, r=jandem
authorHannes Verschore <hv1989@gmail.com>
Mon, 16 Jan 2017 12:46:48 +0100
changeset 461338 22426fbd559b7df850195ffa77af54cbec582eb6
parent 461337 ee2a1ad506f08f363d32cc54d3cd4db000ac829d
child 461339 1ec74b000805b9cc0756487b58ac17ad233e4219
push id41655
push userbmo:npang@mozilla.com
push dateMon, 16 Jan 2017 14:31:16 +0000
reviewersjandem
bugs1330662
milestone53.0a1
Bug 1330662 - IonMonkey: Don't check the size of a zero TypedArrayObject when not used, r=jandem
js/src/jit-test/tests/ion/bug1330662.js
js/src/vm/TypedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1330662.js
@@ -0,0 +1,5 @@
+
+for (i=0;i<10000;++i) {
+    a = inIon() ? 0 : 300;
+    buf = new Uint8ClampedArray(a);
+}
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -158,16 +158,21 @@ TypedArrayObject::trace(JSTracer* trc, J
 }
 
 void
 TypedArrayObject::finalize(FreeOp* fop, JSObject* obj)
 {
     MOZ_ASSERT(!IsInsideNursery(obj));
     TypedArrayObject* curObj = &obj->as<TypedArrayObject>();
 
+    // Template objects or discarded objects (which didn't have enough room
+    // for inner elements). Don't have anything to free.
+    if (!curObj->elementsRaw())
+        return;
+
     curObj->assertZeroLengthArrayData();
 
     // Typed arrays with a buffer object do not need to be free'd
     if (curObj->hasBuffer())
         return;
 
     // Free the data slot pointer if it does not point into the old JSObject.
     if (!curObj->hasInlineElements())