From 52113994510b83e0e17a461b268643e500a588d7 Mon Sep 17 00:00:00 2001 From: "Nicholas D. Matsakis" Date: Thu, 2 Jan 2014 17:54:44 -0500 Subject: [PATCH] Bug 953111 - Check length before initializing typedobject instance r=sfink --- js/src/builtin/TypeRepresentation.cpp | 2 ++ js/src/builtin/TypeRepresentation.h | 3 ++- js/src/builtin/TypedObject.cpp | 3 ++- js/src/jit-test/tests/TypedObject/bug953111.js | 18 ++++++++++++++++++ js/src/jit/IonBuilder.cpp | 2 +- 5 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 js/src/jit-test/tests/TypedObject/bug953111.js diff --git a/js/src/builtin/TypeRepresentation.cpp b/js/src/builtin/TypeRepresentation.cpp index 024e47cb66a9..957a80bef2d3 100644 --- a/js/src/builtin/TypeRepresentation.cpp +++ b/js/src/builtin/TypeRepresentation.cpp @@ -947,6 +947,8 @@ SizedTypeRepresentation::initInstance(const JSRuntime *rt, uint8_t *mem, size_t length) { + JS_ASSERT(length >= 1); + MemoryInitVisitor visitor(rt); // Initialize the 0th instance diff --git a/js/src/builtin/TypeRepresentation.h b/js/src/builtin/TypeRepresentation.h index b1c8a2e6800b..482f17493475 100644 --- a/js/src/builtin/TypeRepresentation.h +++ b/js/src/builtin/TypeRepresentation.h @@ -231,7 +231,8 @@ class SizedTypeRepresentation : public TypeRepresentation { size_t size() const { return size_; } size_t alignment() const { return alignment_; } - // Initializes memory that contains `count` instances of this type + // Initializes memory that contains `count` instances of this type. + // `count` must be at least 1. void initInstance(const JSRuntime *rt, uint8_t *mem, size_t count); // Traces memory that contains `count` instances of this type. diff --git a/js/src/builtin/TypedObject.cpp b/js/src/builtin/TypedObject.cpp index 25ce74ed551d..e7a5489bf322 100644 --- a/js/src/builtin/TypedObject.cpp +++ b/js/src/builtin/TypedObject.cpp @@ -2339,7 +2339,8 @@ TypedObject::createZeroed(JSContext *cx, if (!memory) return nullptr; - elementTypeRepr->initInstance(cx->runtime(), memory, length); + if (length) + elementTypeRepr->initInstance(cx->runtime(), memory, length); obj->attach(memory); return obj; } diff --git a/js/src/jit-test/tests/TypedObject/bug953111.js b/js/src/jit-test/tests/TypedObject/bug953111.js new file mode 100644 index 000000000000..bcd98f27c3fd --- /dev/null +++ b/js/src/jit-test/tests/TypedObject/bug953111.js @@ -0,0 +1,18 @@ +/* + * Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/licenses/publicdomain/ + */ + +if (!this.hasOwnProperty("TypedObject")) + quit(); + +// bug 953111 + +var A = TypedObject.uint8.array(); +var a = new A(0); +a.forEach(function(val, i) {}); + +// bug 951356 (dup, but a dup that is more likely to crash) + +var AA = TypedObject.uint8.array(2147483647).array(); +var aa = new AA(0); diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp index 13c77d3c9548..80e22490c2d7 100644 --- a/js/src/jit/IonBuilder.cpp +++ b/js/src/jit/IonBuilder.cpp @@ -6686,7 +6686,7 @@ IonBuilder::getElemTryScalarElemOfTypedObject(bool *emitted, TypeRepresentationSet elemTypeReprs, size_t elemSize) { - JS_ASSERT(objTypeReprs.kind() == TypeRepresentation::SizedArray); + JS_ASSERT(objTypeReprs.allOfArrayKind()); // Must always be loading the same scalar type if (!elemTypeReprs.singleton())