Backed out changeset bef8a33f2d8f (bug 976697) for bustage on a CLOSED TREE
authorWes Kocher <wkocher@mozilla.com>
Wed, 12 Mar 2014 14:27:57 -0700
changeset 191447 4647aa53d2868dda962cc86f82ea9614cdd32a96
parent 191446 2645fa20fa257ddeef363e98536e6d67da71d1f8
child 191448 663cc8a7d6ec7d1cc132a057db701d00fa975d6e
child 191514 8ddc66a8d92975bc841b5225a7962fa8b1224f15
push id474
push userasasaki@mozilla.com
push dateMon, 02 Jun 2014 21:01:02 +0000
treeherdermozilla-release@967f4cf1b31c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs976697
milestone30.0a1
backs outbef8a33f2d8f84777bb3056c45b61147f75864b4
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset bef8a33f2d8f (bug 976697) for bustage on a CLOSED TREE
js/src/builtin/TypedObject.cpp
js/src/jit-test/tests/TypedObject/bug976697.js
js/src/tests/ecma_6/TypedObject/atopneuteredbuffer.js
js/src/vm/ArrayBufferObject.h
js/src/vm/TypedArrayObject.cpp
--- a/js/src/builtin/TypedObject.cpp
+++ b/js/src/builtin/TypedObject.cpp
@@ -2287,22 +2287,16 @@ TypedObject::constructSized(JSContext *c
         return true;
     }
 
     // Buffer constructor.
     if (args[0].isObject() && args[0].toObject().is<ArrayBufferObject>()) {
         Rooted<ArrayBufferObject*> buffer(cx);
         buffer = &args[0].toObject().as<ArrayBufferObject>();
 
-        if (buffer->isNeutered()) {
-            JS_ReportErrorNumber(cx, js_GetErrorMessage,
-                                 nullptr, JSMSG_TYPEDOBJECT_BAD_ARGS);
-            return false;
-        }
-
         int32_t offset;
         if (args.length() >= 2 && !args[1].isUndefined()) {
             if (!args[1].isInt32()) {
                 JS_ReportErrorNumber(cx, js_GetErrorMessage,
                                      nullptr, JSMSG_TYPEDOBJECT_BAD_ARGS);
                 return false;
             }
 
@@ -2399,22 +2393,16 @@ TypedObject::constructUnsized(JSContext 
         return true;
     }
 
     // Buffer constructor.
     if (args[0].isObject() && args[0].toObject().is<ArrayBufferObject>()) {
         Rooted<ArrayBufferObject*> buffer(cx);
         buffer = &args[0].toObject().as<ArrayBufferObject>();
 
-        if (buffer->isNeutered()) {
-            JS_ReportErrorNumber(cx, js_GetErrorMessage,
-                                 nullptr, JSMSG_TYPEDOBJECT_BAD_ARGS);
-            return false;
-        }
-
         int32_t offset;
         if (args.length() >= 2 && !args[1].isUndefined()) {
             if (!args[1].isInt32()) {
                 JS_ReportErrorNumber(cx, js_GetErrorMessage,
                                      nullptr, JSMSG_TYPEDOBJECT_BAD_ARGS);
                 return false;
             }
 
deleted file mode 100644
--- a/js/src/jit-test/tests/TypedObject/bug976697.js
+++ /dev/null
@@ -1,10 +0,0 @@
-// Test that instantiating a typed array on top of a neutered buffer
-// doesn't trip any asserts. Public domain.
-
-if (!this.hasOwnProperty("TypedObject"))
-  quit();
-
-x = ArrayBuffer();
-neuter(x);
-Uint32Array(x);
-gc();
deleted file mode 100644
--- a/js/src/tests/ecma_6/TypedObject/atopneuteredbuffer.js
+++ /dev/null
@@ -1,23 +0,0 @@
-// |reftest| skip-if(!this.hasOwnProperty("TypedObject"))
-var BUGNUMBER = 976697;
-
-var {StructType, uint32, Object, Any, storage, objectType} = TypedObject;
-
-function main() { // once a C programmer, always a C programmer.
-  print(BUGNUMBER + ": " + summary);
-
-  var Uints = uint32.array();
-  var Unit = new StructType({});   // Empty struct type
-  var buffer = new ArrayBuffer(0); // Empty buffer
-  var p = new Unit(buffer);        // OK
-  neuter(buffer);
-  assertThrowsInstanceOf(() => new Unit(buffer), TypeError,
-                         "Able to instantiate atop neutered buffer");
-  assertThrowsInstanceOf(() => new Uints(buffer, 0), TypeError,
-                         "Able to instantiate atop neutered buffer");
-
-  reportCompare(true, true);
-  print("Tests complete");
-}
-
-main();
--- a/js/src/vm/ArrayBufferObject.h
+++ b/js/src/vm/ArrayBufferObject.h
@@ -273,24 +273,17 @@ PostBarrierTypedArrayObject(JSObject *ob
 inline void
 InitArrayBufferViewDataPointer(ArrayBufferViewObject *obj, ArrayBufferObject *buffer, size_t byteOffset)
 {
     /*
      * N.B. The base of the array's data is stored in the object's
      * private data rather than a slot to avoid alignment restrictions
      * on private Values.
      */
-
-    if (buffer->isNeutered()) {
-        JS_ASSERT(byteOffset == 0);
-        obj->initPrivate(nullptr);
-    } else {
-        obj->initPrivate(buffer->dataPointer() + byteOffset);
-    }
-
+    obj->initPrivate(buffer->dataPointer() + byteOffset);
     PostBarrierTypedArrayObject(obj);
 }
 
 /*
  * Tests for either ArrayBufferObject or SharedArrayBufferObject.
  * For specific class testing, use e.g., obj->is<ArrayBufferObject>().
  */
 bool IsArrayBuffer(HandleValue v);
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -357,17 +357,17 @@ class TypedArrayObjectTemplate : public 
         if (!empty)
             return nullptr;
         obj->setLastPropertyInfallible(empty);
 
 #ifdef DEBUG
         uint32_t bufferByteLength = buffer->byteLength();
         uint32_t arrayByteLength = obj->byteLength();
         uint32_t arrayByteOffset = obj->byteOffset();
-        JS_ASSERT_IF(!buffer->isNeutered(), buffer->dataPointer() <= obj->viewData());
+        JS_ASSERT(buffer->dataPointer() <= obj->viewData());
         JS_ASSERT(bufferByteLength - arrayByteOffset >= arrayByteLength);
         JS_ASSERT(arrayByteOffset <= bufferByteLength);
 
         // Verify that the private slot is at the expected place
         JS_ASSERT(obj->numFixedSlots() == DATA_SLOT);
 #endif
 
         buffer->addView(obj);