Bug 999140 - Mapped array buffers need a safety buffer, r=Waldo
authorSteve Fink <sfink@mozilla.com>
Fri, 25 Apr 2014 13:46:26 -0700
changeset 198833 2f0714c1413b30e8b7be060a6bbab47a8a6fe90a
parent 198832 950fadd70f9ebde26828cbb6999f3e0e5784e32c
child 198834 b51cc5e640ec40ab19effd112597d5add445be9c
push id3624
push userasasaki@mozilla.com
push dateMon, 09 Jun 2014 21:49:01 +0000
treeherdermozilla-beta@b1a5da15899a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersWaldo
bugs999140
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 999140 - Mapped array buffers need a safety buffer, r=Waldo
js/src/vm/ArrayBufferObject.cpp
js/src/vm/ArrayBufferObject.h
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -338,19 +338,17 @@ ArrayBufferObject::neuter(JSContext *cx,
 
     for (ArrayBufferViewObject *view = buffer->viewList(); view; view = view->nextView()) {
         view->neuter(newData);
 
         // Notify compiled jit code that the base pointer has moved.
         MarkObjectStateChange(cx, view);
     }
 
-    if (buffer->isMappedArrayBuffer())
-        buffer->setNewOwnedData(cx->runtime()->defaultFreeOp(), nullptr);
-    else if (newData != buffer->dataPointer())
+    if (newData != buffer->dataPointer())
         buffer->setNewOwnedData(cx->runtime()->defaultFreeOp(), newData);
 
     buffer->setByteLength(0);
     buffer->setViewList(nullptr);
     buffer->setIsNeutered();
 
     // If this is happening during an incremental GC, remove the buffer from
     // the list of live buffers with multiple views if necessary.
@@ -370,17 +368,16 @@ ArrayBufferObject::neuter(JSContext *cx,
     }
 }
 
 void
 ArrayBufferObject::setNewOwnedData(FreeOp* fop, void *newData)
 {
     JS_ASSERT(!isAsmJSArrayBuffer());
     JS_ASSERT(!isSharedArrayBuffer());
-    JS_ASSERT_IF(isMappedArrayBuffer(), !newData);
 
     if (ownsData()) {
         JS_ASSERT(newData != dataPointer());
         releaseData(fop);
     }
 
     setDataPointer(static_cast<uint8_t *>(newData), OwnsData);
 }
@@ -531,17 +528,17 @@ ArrayBufferObject::canNeuterAsmJSArrayBu
 
     return false;
 #else
     return true;
 #endif
 }
 
 void *
-ArrayBufferObject::createMappedArrayBuffer(int fd, size_t offset, size_t length)
+ArrayBufferObject::createMappedContents(int fd, size_t offset, size_t length)
 {
     return AllocateMappedContent(fd, offset, length, ARRAY_BUFFER_ALIGNMENT);
 }
 
 void
 ArrayBufferObject::releaseMappedArray()
 {
     if(!isMappedArrayBuffer() || isNeutered())
@@ -744,24 +741,19 @@ ArrayBufferObject::ensureNonInline(JSCon
 ArrayBufferObject::stealContents(JSContext *cx, Handle<ArrayBufferObject*> buffer)
 {
     if (!buffer->canNeuter(cx)) {
         js_ReportOverRecursed(cx);
         return nullptr;
     }
 
     void *oldData = buffer->dataPointer();
-    void *newData;
-    if (buffer->isMappedArrayBuffer())
-        newData = oldData;
-    else {
-        newData = AllocateArrayBufferContents(cx, buffer->byteLength());
-        if (!newData)
-            return nullptr;
-    }
+    void *newData = AllocateArrayBufferContents(cx, buffer->byteLength());
+    if (!newData)
+        return nullptr;
 
     if (buffer->hasStealableContents()) {
         buffer->setOwnsData(DoesntOwnData);
         ArrayBufferObject::neuter(cx, buffer, newData);
         return oldData;
     } else {
         memcpy(newData, oldData, buffer->byteLength());
         ArrayBufferObject::neuter(cx, buffer, oldData);
@@ -1106,17 +1098,17 @@ JS_NewMappedArrayBufferWithContents(JSCo
 {
     JS_ASSERT(contents);
     return ArrayBufferObject::create(cx, nbytes, contents, TenuredObject, true);
 }
 
 JS_PUBLIC_API(void *)
 JS_CreateMappedArrayBufferContents(int fd, size_t offset, size_t length)
 {
-    return ArrayBufferObject::createMappedArrayBuffer(fd, offset, length);
+    return ArrayBufferObject::createMappedContents(fd, offset, length);
 }
 
 JS_PUBLIC_API(void)
 JS_ReleaseMappedArrayBufferContents(void *contents, size_t length)
 {
     DeallocateMappedContent(contents, length);
 }
 
@@ -1189,9 +1181,8 @@ JS_GetObjectAsArrayBuffer(JSObject *obj,
     if (!IsArrayBuffer(obj))
         return nullptr;
 
     *length = AsArrayBuffer(obj).byteLength();
     *data = AsArrayBuffer(obj).dataPointer();
 
     return obj;
 }
-
--- a/js/src/vm/ArrayBufferObject.h
+++ b/js/src/vm/ArrayBufferObject.h
@@ -156,17 +156,17 @@ class ArrayBufferObject : public JSObjec
     bool isMappedArrayBuffer() const { return flags() & MAPPED_BUFFER; }
     bool isNeutered() const { return flags() & NEUTERED_BUFFER; }
 
     static bool prepareForAsmJS(JSContext *cx, Handle<ArrayBufferObject*> buffer);
     static bool canNeuterAsmJSArrayBuffer(JSContext *cx, ArrayBufferObject &buffer);
 
     static void finalize(FreeOp *fop, JSObject *obj);
 
-    static void *createMappedArrayBuffer(int fd, size_t offset, size_t length);
+    static void *createMappedContents(int fd, size_t offset, size_t length);
 
     static size_t flagsOffset() {
         return getFixedSlotOffset(FLAGS_SLOT);
     }
 
     static uint32_t neuteredFlag() { return NEUTERED_BUFFER; }
 
   protected: