Bug 1369994 - Ensure template objects for typed arrays are initialized properly before exposing them to GC r=jandem a=abillings
authorJon Coppeard <jcoppeard@mozilla.com>
Mon, 26 Jun 2017 20:15:41 -0400
changeset 600745 d516c35eabf14738e03728f9be602b732e63078c
parent 600744 8d9b536289c2ddec604ea8e2f305a007ec840612
child 600746 7da6c99070996a8d0baa4013d4c0b515f8045fa2
push id65868
push userbmo:rail@mozilla.com
push dateTue, 27 Jun 2017 20:33:55 +0000
reviewersjandem, abillings
bugs1369994
milestone56.0a1
Bug 1369994 - Ensure template objects for typed arrays are initialized properly before exposing them to GC r=jandem a=abillings
js/src/vm/TypedArrayObject.cpp
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -570,33 +570,34 @@ class TypedArrayObjectTemplate : public 
         MOZ_ASSERT(CanBeFinalizedInBackground(allocKind, clasp));
         allocKind = GetBackgroundAllocKind(allocKind);
 
         AutoSetNewObjectMetadata metadata(cx);
         jsbytecode* pc;
         RootedScript script(cx, cx->currentScript(&pc));
         if (script && ObjectGroup::useSingletonForAllocationSite(script, pc, clasp))
             newKind = SingletonObject;
-        RootedObject tmp(cx, NewBuiltinClassInstance(cx, clasp, allocKind, newKind));
+        JSObject* tmp = NewBuiltinClassInstance(cx, clasp, allocKind, newKind);
         if (!tmp)
             return nullptr;
-        if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tmp,
-                                                                 newKind == SingletonObject))
-        {
-            return nullptr;
-        }
 
-        TypedArrayObject* tarray = &tmp->as<TypedArrayObject>();
+        Rooted<TypedArrayObject*> tarray(cx, &tmp->as<TypedArrayObject>());
         initTypedArraySlots(cx, tarray, len);
 
         // Template objects do not need memory for its elements, since there
         // won't be any elements to store. Therefore, we set the pointer to
         // nullptr and avoid allocating memory that will never be used.
         tarray->initPrivate(nullptr);
 
+        if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tarray,
+                                                                 newKind == SingletonObject))
+        {
+            return nullptr;
+        }
+
         return tarray;
     }
 
     static void
     initTypedArraySlots(JSContext* cx, TypedArrayObject* tarray, int32_t len)
     {
         MOZ_ASSERT(len >= 0);
         tarray->setFixedSlot(TypedArrayObject::BUFFER_SLOT, NullValue());