| author | Vladimir Vukicevic <vladimir@pobox.com> |
| Wed, 09 Jun 2010 19:05:00 -0700 | |
| changeset 47428 | b1cd46b5286839324d9826dc4f3f0f6c4b276a50 |
| parent 47427 | 99ce939d454577b7d90fddc5ba670bf0be227661 |
| child 47430 | 2164d3ca17def306c739a6179b9aaff4f1d7a6e9 |
| push id | 1 |
| push user | root |
| push date | Tue, 26 Apr 2011 22:38:44 +0000 |
| treeherder | mozilla-beta@bfdb6e623a36 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | brendan |
| bugs | 571014 |
| milestone | 1.9.3a5pre |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/js/src/jstypedarray.cpp +++ b/js/src/jstypedarray.cpp @@ -72,17 +72,18 @@ using namespace js; * * This class holds the underlying raw buffer that the TypedArray classes * access. It can be created explicitly and passed to a TypedArray, or * can be created implicitly by constructing a TypedArray with a size. */ ArrayBuffer * ArrayBuffer::fromJSObject(JSObject *obj) { - JS_ASSERT(obj->getClass() == &ArrayBuffer::jsclass); + while (!js_IsArrayBuffer(obj)) + obj = obj->getProto(); return reinterpret_cast<ArrayBuffer*>(obj->getPrivate()); } JSBool ArrayBuffer::prop_getByteLength(JSContext *cx, JSObject *obj, jsval id, jsval *vp) { ArrayBuffer *abuf = ArrayBuffer::fromJSObject(obj); if (abuf) @@ -202,16 +203,18 @@ ArrayBuffer::~ArrayBuffer() * The non-templated base class for the specific typed implementations. * This class holds all the member variables that are used by * the subclasses. */ TypedArray * TypedArray::fromJSObject(JSObject *obj) { + while (!js_IsTypedArray(obj)) + obj = obj->getProto(); return reinterpret_cast<TypedArray*>(obj->getPrivate()); } inline bool TypedArray::isArrayIndex(JSContext *cx, jsid id, jsuint *ip) { jsuint index; if (js_IdIsIndex(id, &index) && index < length) { @@ -818,16 +821,19 @@ class TypedArrayTemplate fun_slice(JSContext *cx, uintN argc, jsval *vp) { jsval *argv; JSObject *obj; argv = JS_ARGV(cx, vp); obj = JS_THIS_OBJECT(cx, vp); + if (!JS_InstanceOf(cx, obj, ThisTypeArray::fastClass(), vp+2)) + return false; + ThisTypeArray *tarray = ThisTypeArray::fromJSObject(obj); if (!tarray) return true; // these are the default values int32_t begin = 0, end = tarray->length; int32_t length = int32(tarray->length);
--- a/js/src/tests/js1_8_5/regress/jstests.list +++ b/js/src/tests/js1_8_5/regress/jstests.list @@ -17,9 +17,10 @@ script regress-559438.js script regress-560101.js script regress-560998-1.js script regress-560998-2.js script regress-563210.js script regress-563221.js script regress-566549.js script regress-566914.js script regress-567152.js -script regress-569306.js \ No newline at end of file +script regress-569306.js +script regress-571014.js
new file mode 100644 --- /dev/null +++ b/js/src/tests/js1_8_5/regress/regress-571014.js @@ -0,0 +1,22 @@ + +var F, o; + +F = function () {}; +F.prototype = new ArrayBuffer(1); +o = new F(); +assertEq(o.byteLength, 1); // should be no assertion here + +o = {}; +o.__proto__ = new Int32Array(1); +assertEq(o.buffer.byteLength, 4); // should be no assertion here + +F = function () {}; +F.prototype = new Int32Array(1); +o = new F(); +try { + o.slice(0, 1); + reportFailure("Expected an exception!"); +} catch (ex) { +} + +reportCompare("ok", "ok", "bug 571014");