Bug 953111 - Check length before initializing typedobject instance r=sfink

2024-10-13 13:25:37 +00:00 · 2014-01-02 17:54:44 -05:00 · 2014-01-02 17:54:44 -05:00 · 5211399451
commit 5211399451
parent 311fe4a473
5 changed files with 25 additions and 3 deletions
--- a/js/src/builtin/TypeRepresentation.cpp
+++ b/js/src/builtin/TypeRepresentation.cpp
@ -947,6 +947,8 @@ SizedTypeRepresentation::initInstance(const JSRuntime *rt,
                                      uint8_t *mem,
                                      size_t length)
 {
+    JS_ASSERT(length >= 1);
+
    MemoryInitVisitor visitor(rt);

    // Initialize the 0th instance
--- a/js/src/builtin/TypeRepresentation.h
+++ b/js/src/builtin/TypeRepresentation.h
@ -231,7 +231,8 @@ class SizedTypeRepresentation : public TypeRepresentation {
    size_t size() const { return size_; }
    size_t alignment() const { return alignment_; }

-    // Initializes memory that contains `count` instances of this type
+    // Initializes memory that contains `count` instances of this type.
+    // `count` must be at least 1.
    void initInstance(const JSRuntime *rt, uint8_t *mem, size_t count);

    // Traces memory that contains `count` instances of this type.
--- a/js/src/builtin/TypedObject.cpp
+++ b/js/src/builtin/TypedObject.cpp
@ -2339,7 +2339,8 @@ TypedObject::createZeroed(JSContext *cx,
        if (!memory)
            return nullptr;

-        elementTypeRepr->initInstance(cx->runtime(), memory, length);
+        if (length)
+            elementTypeRepr->initInstance(cx->runtime(), memory, length);
        obj->attach(memory);
        return obj;
      }
--- a/js/src/jit-test/tests/TypedObject/bug953111.js
+++ b/js/src/jit-test/tests/TypedObject/bug953111.js
@ -0,0 +1,18 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ */
+
+if (!this.hasOwnProperty("TypedObject"))
+  quit();
+
+// bug 953111
+
+var A = TypedObject.uint8.array();
+var a = new A(0);
+a.forEach(function(val, i) {});
+
+// bug 951356 (dup, but a dup that is more likely to crash)
+
+var AA = TypedObject.uint8.array(2147483647).array();
+var aa = new AA(0);
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@ -6686,7 +6686,7 @@ IonBuilder::getElemTryScalarElemOfTypedObject(bool *emitted,
                                              TypeRepresentationSet elemTypeReprs,
                                              size_t elemSize)
 {
-    JS_ASSERT(objTypeReprs.kind() == TypeRepresentation::SizedArray);
+    JS_ASSERT(objTypeReprs.allOfArrayKind());

    // Must always be loading the same scalar type
    if (!elemTypeReprs.singleton())