Bug 1343513. r=jandem, a=dveditz
authorAndré Bargull <andre.bargull@gmail.com>
Thu, 02 Mar 2017 08:33:24 -0800
changeset 376563 c68908b7f6f8267b19b558d27cc99c69b0c0d80e
parent 376562 c38111d38a99b7c3b3a0e8d8d8486fd305b93200
child 376564 1c676fbbcdbfeec529f424d6884dce04877ec73f
push id6996
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 20:48:21 +0000
treeherdermozilla-beta@d89512dab048 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, dveditz
bugs1343513
milestone53.0a2
Bug 1343513. r=jandem, a=dveditz
js/src/jit/MacroAssembler.cpp
js/src/vm/TypedArrayObject.cpp
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -1034,38 +1034,36 @@ static void
 AllocateObjectBufferWithInit(JSContext* cx, TypedArrayObject* obj, int32_t count)
 {
     JS::AutoCheckCannotGC nogc(cx);
 
     obj->initPrivate(nullptr);
 
     // Negative numbers or zero will bail out to the slow path, which in turn will raise
     // an invalid argument exception or create a correct object with zero elements.
-    if (count <= 0) {
+    if (count <= 0 || uint32_t(count) >= INT32_MAX / obj->bytesPerElement()) {
         obj->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(0));
         return;
     }
 
     obj->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(count));
     size_t nbytes;
 
     switch (obj->type()) {
 #define CREATE_TYPED_ARRAY(T, N) \
       case Scalar::N: \
-        if (!js::CalculateAllocSize<T>(count, &nbytes)) \
-            return; \
+        MOZ_ALWAYS_TRUE(js::CalculateAllocSize<T>(count, &nbytes)); \
         break;
 JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPED_ARRAY)
 #undef CREATE_TYPED_ARRAY
       default:
         MOZ_CRASH("Unsupported TypedArray type");
     }
 
-    if (!(CheckedUint32(nbytes) + sizeof(Value)).isValid())
-        return;
+    MOZ_ASSERT((CheckedUint32(nbytes) + sizeof(Value)).isValid());
 
     nbytes = JS_ROUNDUP(nbytes, sizeof(Value));
     Nursery& nursery = cx->runtime()->gc.nursery;
     void* buf = nursery.allocateBuffer(obj, nbytes);
     if (buf) {
         obj->initPrivate(buf);
         memset(buf, 0, nbytes);
     }
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -666,22 +666,24 @@ class TypedArrayObjectTemplate : public 
             tarray->initPrivate(data);
             memset(data, 0, nbytes);
         }
     }
 
     static TypedArrayObject*
     makeTypedArrayWithTemplate(JSContext* cx, TypedArrayObject* templateObj, int32_t len)
     {
-        size_t nbytes;
-        if (len < 0 || !js::CalculateAllocSize<NativeType>(len, &nbytes)) {
+        if (len < 0 || uint32_t(len) >= INT32_MAX / sizeof(NativeType)) {
             JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_TYPED_ARRAY_BAD_ARGS);
             return nullptr;
         }
 
+        size_t nbytes;
+        MOZ_ALWAYS_TRUE(js::CalculateAllocSize<NativeType>(len, &nbytes));
+
         bool fitsInline = nbytes <= INLINE_BUFFER_LIMIT;
 
         AutoSetNewObjectMetadata metadata(cx);
 
         const Class* clasp = templateObj->group()->clasp();
         gc::AllocKind allocKind = !fitsInline
                                   ? GetGCObjectKind(clasp)
                                   : AllocKindForLazyBuffer(nbytes);