Bug 999140 - Mapped array buffers need a safety buffer, r=Waldo
authorSteve Fink <sfink@mozilla.com>
Fri, 25 Apr 2014 13:46:26 -0700
changeset 180685 2f0714c1413b30e8b7be060a6bbab47a8a6fe90a
parent 180684 950fadd70f9ebde26828cbb6999f3e0e5784e32c
child 180686 b51cc5e640ec40ab19effd112597d5add445be9c
push id272
push userpvanderbeken@mozilla.com
push dateMon, 05 May 2014 16:31:18 +0000
reviewersWaldo
bugs999140
milestone31.0a1
Bug 999140 - Mapped array buffers need a safety buffer, r=Waldo
js/src/vm/ArrayBufferObject.cpp
js/src/vm/ArrayBufferObject.h
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -338,19 +338,17 @@ ArrayBufferObject::neuter(JSContext *cx,
 
     for (ArrayBufferViewObject *view = buffer->viewList(); view; view = view->nextView()) {
         view->neuter(newData);
 
         // Notify compiled jit code that the base pointer has moved.
         MarkObjectStateChange(cx, view);
     }
 
-    if (buffer->isMappedArrayBuffer())
-        buffer->setNewOwnedData(cx->runtime()->defaultFreeOp(), nullptr);
-    else if (newData != buffer->dataPointer())
+    if (newData != buffer->dataPointer())
         buffer->setNewOwnedData(cx->runtime()->defaultFreeOp(), newData);
 
     buffer->setByteLength(0);
     buffer->setViewList(nullptr);
     buffer->setIsNeutered();
 
     // If this is happening during an incremental GC, remove the buffer from
     // the list of live buffers with multiple views if necessary.
@@ -370,17 +368,16 @@ ArrayBufferObject::neuter(JSContext *cx,
     }
 }
 
 void
 ArrayBufferObject::setNewOwnedData(FreeOp* fop, void *newData)
 {
     JS_ASSERT(!isAsmJSArrayBuffer());
     JS_ASSERT(!isSharedArrayBuffer());
-    JS_ASSERT_IF(isMappedArrayBuffer(), !newData);
 
     if (ownsData()) {
         JS_ASSERT(newData != dataPointer());
         releaseData(fop);
     }
 
     setDataPointer(static_cast<uint8_t *>(newData), OwnsData);
 }
@@ -531,17 +528,17 @@ ArrayBufferObject::canNeuterAsmJSArrayBu
 
     return false;
 #else
     return true;
 #endif
 }
 
 void *
-ArrayBufferObject::createMappedArrayBuffer(int fd, size_t offset, size_t length)
+ArrayBufferObject::createMappedContents(int fd, size_t offset, size_t length)
 {
     return AllocateMappedContent(fd, offset, length, ARRAY_BUFFER_ALIGNMENT);
 }
 
 void
 ArrayBufferObject::releaseMappedArray()
 {
     if(!isMappedArrayBuffer() || isNeutered())
@@ -744,24 +741,19 @@ ArrayBufferObject::ensureNonInline(JSCon
 ArrayBufferObject::stealContents(JSContext *cx, Handle<ArrayBufferObject*> buffer)
 {
     if (!buffer->canNeuter(cx)) {
         js_ReportOverRecursed(cx);
         return nullptr;
     }
 
     void *oldData = buffer->dataPointer();
-    void *newData;
-    if (buffer->isMappedArrayBuffer())
-        newData = oldData;
-    else {
-        newData = AllocateArrayBufferContents(cx, buffer->byteLength());
-        if (!newData)
-            return nullptr;
-    }
+    void *newData = AllocateArrayBufferContents(cx, buffer->byteLength());
+    if (!newData)
+        return nullptr;
 
     if (buffer->hasStealableContents()) {
         buffer->setOwnsData(DoesntOwnData);
         ArrayBufferObject::neuter(cx, buffer, newData);
         return oldData;
     } else {
         memcpy(newData, oldData, buffer->byteLength());
         ArrayBufferObject::neuter(cx, buffer, oldData);
@@ -1106,17 +1098,17 @@ JS_NewMappedArrayBufferWithContents(JSCo
 {
     JS_ASSERT(contents);
     return ArrayBufferObject::create(cx, nbytes, contents, TenuredObject, true);
 }
 
 JS_PUBLIC_API(void *)
 JS_CreateMappedArrayBufferContents(int fd, size_t offset, size_t length)
 {
-    return ArrayBufferObject::createMappedArrayBuffer(fd, offset, length);
+    return ArrayBufferObject::createMappedContents(fd, offset, length);
 }
 
 JS_PUBLIC_API(void)
 JS_ReleaseMappedArrayBufferContents(void *contents, size_t length)
 {
     DeallocateMappedContent(contents, length);
 }
 
@@ -1189,9 +1181,8 @@ JS_GetObjectAsArrayBuffer(JSObject *obj,
     if (!IsArrayBuffer(obj))
         return nullptr;
 
     *length = AsArrayBuffer(obj).byteLength();
     *data = AsArrayBuffer(obj).dataPointer();
 
     return obj;
 }
-
--- a/js/src/vm/ArrayBufferObject.h
+++ b/js/src/vm/ArrayBufferObject.h
@@ -156,17 +156,17 @@ class ArrayBufferObject : public JSObjec
     bool isMappedArrayBuffer() const { return flags() & MAPPED_BUFFER; }
     bool isNeutered() const { return flags() & NEUTERED_BUFFER; }
 
     static bool prepareForAsmJS(JSContext *cx, Handle<ArrayBufferObject*> buffer);
     static bool canNeuterAsmJSArrayBuffer(JSContext *cx, ArrayBufferObject &buffer);
 
     static void finalize(FreeOp *fop, JSObject *obj);
 
-    static void *createMappedArrayBuffer(int fd, size_t offset, size_t length);
+    static void *createMappedContents(int fd, size_t offset, size_t length);
 
     static size_t flagsOffset() {
         return getFixedSlotOffset(FLAGS_SLOT);
     }
 
     static uint32_t neuteredFlag() { return NEUTERED_BUFFER; }
 
   protected: