Backed out 2 changesets (bug 1426783, bug 1425612) for spidermonekey bustages on non262/extensions/sharedtypedarray.js r=backout on a CLOSED TREE
authorDorel Luca <dluca@mozilla.com>
Thu, 11 Jan 2018 01:45:10 +0200
changeset 452968 600bee353e155608a5832f7eb9d5e42987d66591
parent 452967 a8e2b4cf8e26b900983e33cc2fb6b48f1e5747b2
child 452969 6f9bad2ae1812ba6f1ee3f97ad4054840dd030f0
push id1648
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 12:45:47 +0000
treeherdermozilla-release@cbb9688c2eeb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbackout
bugs1426783, 1425612
milestone59.0a1
backs outa8e2b4cf8e26b900983e33cc2fb6b48f1e5747b2
f10263c3babef5f70e1e8fdb9e52c2de15cf22e1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 2 changesets (bug 1426783, bug 1425612) for spidermonekey bustages on non262/extensions/sharedtypedarray.js r=backout on a CLOSED TREE Backed out changeset a8e2b4cf8e26 (bug 1425612) Backed out changeset f10263c3babe (bug 1426783)
js/src/vm/StructuredClone.cpp
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -1911,22 +1911,16 @@ JSStructuredCloneReader::readTypedArray(
     } else {
         if (!startRead(&v))
             return false;
         uint64_t n;
         if (!in.read(&n))
             return false;
         byteOffset = n;
     }
-    if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "typed array must be backed by an ArrayBuffer");
-        return false;
-    }
-
     RootedObject buffer(context(), &v.toObject());
     RootedObject obj(context(), nullptr);
 
     switch (arrayType) {
       case Scalar::Int8:
         obj = JS_NewInt8ArrayWithBuffer(context(), buffer, byteOffset, nelems);
         break;
       case Scalar::Uint8:
@@ -1974,21 +1968,16 @@ JSStructuredCloneReader::readDataView(ui
     Value dummy = UndefinedValue();
     if (!allObjs.append(dummy))
         return false;
 
     // Read the ArrayBuffer object and its contents (but no properties).
     RootedValue v(context());
     if (!startRead(&v))
         return false;
-    if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "DataView must be backed by an ArrayBuffer");
-        return false;
-    }
 
     // Read byteOffset.
     uint64_t n;
     if (!in.read(&n))
         return false;
     uint32_t byteOffset = n;
 
     RootedObject buffer(context(), &v.toObject());
@@ -2034,21 +2023,18 @@ JSStructuredCloneReader::readSharedArray
 
     if (!context()->compartment()->creationOptions().getSharedMemoryAndAtomicsEnabled()) {
         JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_SAB_DISABLED);
         return false;
     }
 
     // We must not transfer buffer pointers cross-process.  The cloneDataPolicy
     // in the sender should guard against this; check that it does.
-    if (storedScope > JS::StructuredCloneScope::SameProcessDifferentThread) {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "can't transfer SharedArrayBuffer cross-process");
-        return false;
-    }
+
+    MOZ_RELEASE_ASSERT(storedScope <= JS::StructuredCloneScope::SameProcessDifferentThread);
 
     // The new object will have a new reference to the rawbuf.
 
     if (!rawbuf->addReference()) {
         JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_SAB_REFCNT_OFLO);
         return false;
     }
 
@@ -2060,33 +2046,24 @@ JSStructuredCloneReader::readSharedArray
 
     vp.setObject(*obj);
     return true;
 }
 
 bool
 JSStructuredCloneReader::readSharedWasmMemory(uint32_t nbytes, MutableHandleValue vp)
 {
-    if (nbytes != 0) {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "invalid shared wasm memory tag");
-        return false;
-    }
+    MOZ_ASSERT(nbytes == 0);
 
     JSContext* cx = context();
 
     // Read the SharedArrayBuffer object.
     RootedValue payload(cx);
     if (!startRead(&payload))
         return false;
-    if (!payload.isObject() || !payload.toObject().is<SharedArrayBufferObject>()) {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "shared wasm memory must be backed by a SharedArrayBuffer");
-        return false;
-    }
 
     Rooted<ArrayBufferObjectMaybeShared*> sab(
         cx, &payload.toObject().as<SharedArrayBufferObject>());
 
     // Construct the memory.
     RootedObject proto(cx, &cx->global()->getPrototype(JSProto_WasmMemory).toObject());
     RootedObject memory(cx, WasmMemoryObject::create(cx, sab, proto));
     if (!memory)
@@ -2099,33 +2076,20 @@ JSStructuredCloneReader::readSharedWasmM
 /*
  * Read in the data for a structured clone version 1 ArrayBuffer, performing
  * endianness-conversion while reading.
  */
 bool
 JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems,
                                            MutableHandleValue vp)
 {
-    if (arrayType > Scalar::Uint8Clamped) {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "invalid TypedArray type");
-        return false;
-    }
-
-    mozilla::CheckedInt<size_t> nbytes =
-        mozilla::CheckedInt<size_t>(nelems) *
-        TypedArrayElemSize(static_cast<Scalar::Type>(arrayType));
-    if (!nbytes.isValid() || nbytes.value() > UINT32_MAX) {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr,
-                                  JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "invalid typed array size");
-        return false;
-    }
-
-    JSObject* obj = ArrayBufferObject::create(context(), nbytes.value());
+    MOZ_ASSERT(arrayType <= Scalar::Uint8Clamped);
+
+    uint32_t nbytes = nelems << TypedArrayShift(static_cast<Scalar::Type>(arrayType));
+    JSObject* obj = ArrayBufferObject::create(context(), nbytes);
     if (!obj)
         return false;
     vp.setObject(*obj);
     ArrayBufferObject& buffer = obj->as<ArrayBufferObject>();
     MOZ_ASSERT(buffer.byteLength() == nbytes);
 
     switch (arrayType) {
       case Scalar::Int8:
@@ -2375,24 +2339,16 @@ JSStructuredCloneReader::readHeader()
 
     if (tag != SCTAG_HEADER) {
         // Old structured clone buffer. We must have read it from disk or
         // somewhere, so we can assume it's scope-compatible.
         return true;
     }
 
     MOZ_ALWAYS_TRUE(in.readPair(&tag, &data));
-    if (data != uint32_t(JS::StructuredCloneScope::SameProcessSameThread) &&
-        data != uint32_t(JS::StructuredCloneScope::SameProcessDifferentThread) &&
-        data != uint32_t(JS::StructuredCloneScope::DifferentProcess))
-    {
-        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
-                                  "invalid structured clone scope");
-        return false;
-    }
     storedScope = JS::StructuredCloneScope(data);
     if (storedScope < allowedScope) {
         JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
                                   "incompatible structured clone scope");
         return false;
     }
 
     return true;