Bug 743854 - Do not call init on ArrayBuffer slots in NewObject. r=billm
authorTerrence Cole <terrence@mozilla.com>
Wed, 16 May 2012 12:01:50 -0700
changeset 95598 a8f13db7bff96dc165ce56afbcd7871af5e1cc4b
parent 95597 023c65a66288e5d828647bb81a0cc2954d027eb3
child 95599 e1406f8b5d54b367cd3d31877fd954e4a035d451
push idunknown
push userunknown
push dateunknown
reviewersbillm
bugs743854
milestone15.0a1
Bug 743854 - Do not call init on ArrayBuffer slots in NewObject. r=billm ArrayBuffers use slotSpan to store their inline size. If we try to initialize these, then we end up with their address in the StoreBuffer, but with arbitrary bytes written in these fields by TypeArrays. This patch uses an exact class test to prevent this initialization behavior.
js/src/jsobjinlines.h
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -857,20 +857,22 @@ JSObject::create(JSContext *cx, js::gc::
     if (!obj)
         return NULL;
 
     obj->shape_.init(shape);
     obj->type_.init(type);
     obj->slots = slots;
     obj->elements = js::emptyObjectElements;
 
-    if (shape->getObjectClass()->hasPrivate())
+    const js::Class *clasp = shape->getObjectClass();
+    if (clasp->hasPrivate())
         obj->privateRef(shape->numFixedSlots()) = NULL;
 
-    if (size_t span = shape->slotSpan())
+    size_t span = shape->slotSpan();
+    if (span && clasp != &js::ArrayBufferClass)
         obj->initializeSlotRange(0, span);
 
     return obj;
 }
 
 /* static */ inline JSObject *
 JSObject::createDenseArray(JSContext *cx, js::gc::AllocKind kind,
                            js::HandleShape shape, js::HandleTypeObject type,