Bug 1296249 - Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357. r=jandem
☠☠ backed out by afd6ad990dd4 ☠ ☠
authorSander Mathijs van Veen <smvv@kompiler.org>
Tue, 13 Sep 2016 17:22:51 -0400
changeset 357256 e2bca303ae69caecec7d91396b8a04be9922e0fa
parent 357255 8f0df87ccf9c1b783d449bda9ee5d74a344432fb
child 357257 32fb14de50feb0a1334c75a79ebab6fe7d9b3db5
push id1324
push usermtabara@mozilla.com
push dateMon, 16 Jan 2017 13:07:44 +0000
treeherdermozilla-release@a01c49833940 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1296249
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296249 - Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357. r=jandem
js/src/jit-test/tests/basic/bug1296249.js
js/src/jit/MacroAssembler.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1296249.js
@@ -0,0 +1,10 @@
+function f(x) {
+    new Int32Array(x);
+}
+f(0);
+try {
+    f(2147483647);
+} catch(e) {
+    assertEq(e instanceof InternalError, true,
+             "expected InternalError, instead threw: " + e);
+}
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -1057,16 +1057,22 @@ AllocateObjectBufferWithInit(JSContext* 
             return; \
         break;
 JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPED_ARRAY)
 #undef CREATE_TYPED_ARRAY
       default:
         MOZ_CRASH("Unsupported TypedArray type");
     }
 
+    // Prevent an overflow caused by the JS_ROUNDUP since |allocateBuffer|
+    // converts |nbytes| of type size_t to uint32_t. The value for |nbytes| will
+    // truncate to zero when |new Int32Array(2147483647)| is used.
+    if (nbytes >= TypedArrayObject::SINGLETON_BYTE_LENGTH)
+        return;
+
     nbytes = JS_ROUNDUP(nbytes, sizeof(Value));
     Nursery& nursery = cx->runtime()->gc.nursery;
     void* buf = nursery.allocateBuffer(obj, nbytes);
     if (buf) {
         obj->initPrivate(buf);
         memset(buf, 0, nbytes);
     }
 }