Backed out changeset 6dc60397b3a1 (bug 976530)
authorWes Kocher <wkocher@mozilla.com>
Wed, 12 Mar 2014 14:27:13 -0700
changeset 190421 2645fa20fa257ddeef363e98536e6d67da71d1f8
parent 190420 20e8191247fd97395056ee1e4d7e48e1ba806c40
child 190422 4647aa53d2868dda962cc86f82ea9614cdd32a96
push id3503
push userraliiev@mozilla.com
push dateMon, 28 Apr 2014 18:51:11 +0000
treeherdermozilla-beta@c95ac01e332e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs976530
milestone30.0a1
backs out6dc60397b3a1211895344c131aeb9a69f189f043
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset 6dc60397b3a1 (bug 976530)
js/src/builtin/TypeRepresentation.cpp
js/src/jit-test/tests/TypedObject/bug976530.js
js/src/vm/ArrayBufferObject.cpp
--- a/js/src/builtin/TypeRepresentation.cpp
+++ b/js/src/builtin/TypeRepresentation.cpp
@@ -304,53 +304,53 @@ StructTypeRepresentation::init(JSContext
                                AutoPropertyNameVector &names,
                                AutoObjectVector &typeReprOwners)
 {
     JS_ASSERT(names.length() == typeReprOwners.length());
     fieldCount_ = names.length();
 
     // We compute alignment into the field `align_` directly in the
     // loop below, but not `size_` because we have to very careful
-    // about overflow. For now, we always use an int32_t for
+    // about overflow. For now, we always use a uint32_t for
     // consistency across build environments.
-    int32_t totalSize = 0;
+    uint32_t totalSize = 0;
 
     // These will be adjusted in the loop below:
     alignment_ = 1;
     opaque_ = false;
 
     for (size_t i = 0; i < names.length(); i++) {
         SizedTypeRepresentation *fieldTypeRepr =
             fromOwnerObject(*typeReprOwners[i])->asSized();
 
         if (fieldTypeRepr->opaque())
             opaque_ = true;
 
-        int32_t alignedSize = alignTo(totalSize, fieldTypeRepr->alignment());
+        uint32_t alignedSize = alignTo(totalSize, fieldTypeRepr->alignment());
         if (alignedSize < totalSize) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
                                  JSMSG_TYPEDOBJECT_TOO_BIG);
             return false;
         }
 
         new(fields() + i) StructField(i, names[i],
                                       fieldTypeRepr, alignedSize);
         alignment_ = js::Max(alignment_, fieldTypeRepr->alignment());
 
-        int32_t incrementedSize = alignedSize + fieldTypeRepr->size();
+        uint32_t incrementedSize = alignedSize + fieldTypeRepr->size();
         if (incrementedSize < alignedSize) {
             JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
                                  JSMSG_TYPEDOBJECT_TOO_BIG);
             return false;
         }
 
         totalSize = incrementedSize;
     }
 
-    int32_t alignedSize = alignTo(totalSize, alignment_);
+    uint32_t alignedSize = alignTo(totalSize, alignment_);
     if (alignedSize < totalSize) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
                              JSMSG_TYPEDOBJECT_TOO_BIG);
         return false;
     }
 
     size_ = alignedSize;
     return true;
deleted file mode 100644
--- a/js/src/jit-test/tests/TypedObject/bug976530.js
+++ /dev/null
@@ -1,10 +0,0 @@
-// |jit-test| error:Error
-
-// Test that we don't permit structs whose fields exceed 32 bits. Public domain.
-
-if (!this.hasOwnProperty("TypedObject"))
-  throw new Error();
-
-var Vec3u16Type = TypedObject.uint16.array((1073741823));
-var PairVec3u16Type = new TypedObject.StructType({ fst: Vec3u16Type, snd: Vec3u16Type });
-new PairVec3u16Type();
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -298,17 +298,16 @@ ArrayBufferObject::class_constructor(JSC
  * with the cx if available and fall back to the runtime.  If oldptr is given,
  * it's expected to be a previously-allocated ObjectElements* pointer that we
  * then realloc.
  */
 static ObjectElements *
 AllocateArrayBufferContents(JSContext *maybecx, uint32_t nbytes, void *oldptr = nullptr)
 {
     uint32_t size = nbytes + sizeof(ObjectElements);
-    JS_ASSERT(size > nbytes); // be wary of rollover
     ObjectElements *newheader;
 
     // if oldptr is given, then we need to do a realloc
     if (oldptr) {
         ObjectElements *oldheader = static_cast<ObjectElements *>(oldptr);
         uint32_t oldnbytes = ArrayBufferObject::headerInitializedLength(oldheader);
 
         void *p = maybecx ? maybecx->runtime()->reallocCanGC(oldptr, size) : js_realloc(oldptr, size);