Bug 1285960 r=sphink a=jcristau
authorJeff Walden <jwalden@mit.edu>
Fri, 16 Dec 2016 15:35:03 -0500
changeset 353368 4f7d41ab5f850f84b3a62b421c9474b30830f115
parent 353367 5af63cf90f2874f840c132461bff7f6130483362
child 353369 4dcafa858f95464bf931778c4a2a070119f21d05
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssphink, jcristau
bugs1285960
milestone52.0a2
Bug 1285960 r=sphink a=jcristau
js/src/vm/TypedArrayObject.cpp
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -1649,16 +1649,21 @@ DataViewNewObjectKind(JSContext* cx, uin
         return SingletonObject;
     return GenericObject;
 }
 
 DataViewObject*
 DataViewObject::create(JSContext* cx, uint32_t byteOffset, uint32_t byteLength,
                        Handle<ArrayBufferObject*> arrayBuffer, JSObject* protoArg)
 {
+    if (arrayBuffer->isDetached()) {
+        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_TYPED_ARRAY_DETACHED);
+        return nullptr;
+    }
+
     MOZ_ASSERT(byteOffset <= INT32_MAX);
     MOZ_ASSERT(byteLength <= INT32_MAX);
     MOZ_ASSERT(byteOffset + byteLength < UINT32_MAX);
     MOZ_ASSERT(!arrayBuffer || !arrayBuffer->is<SharedArrayBufferObject>());
 
     RootedObject proto(cx, protoArg);
     RootedObject obj(cx);