Bug 1195208 - Fix ArrayBuffer.transfer isNeutered check. r=luke

--HG-- extra : rebase_source : 704ebdcf2c0c7b1e85c492eb0cfbde85804a212a
2024-11-30 00:01:50 +00:00 · 2015-08-18 16:03:31 +02:00 · 2015-08-18 16:03:31 +02:00 · 921ebacd55
commit 921ebacd55
parent 28a77c7337
2 changed files with 9 additions and 5 deletions
--- a/js/src/jit-test/tests/basic/testArrayBufferTransfer.js
+++ b/js/src/jit-test/tests/basic/testArrayBufferTransfer.js
@ -36,6 +36,10 @@ assertEq(buf.byteLength, 0);
 buf = XF(buf, Math.pow(2,32) + 10);
 assertEq(buf.byteLength, 10);

+assertThrowsInstanceOf(()=>XF(buf, {valueOf() { neuter(buf, "change-data"); return 10; }}), TypeError);
+var buf = new ArrayBuffer(100);
+assertThrowsInstanceOf(()=>XF(buf, {valueOf() { ArrayBuffer.transfer(buf, 0); return 100; }}), TypeError);
+
 // on undefined second argument, stay the same size:
 var buf1 = new ArrayBuffer(0);
 var buf2 = XF(buf1);
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@ -371,11 +371,6 @@ ArrayBufferObject::fun_transfer(JSContext* cx, unsigned argc, Value* vp)
        oldBuffer = &unwrapped->as<ArrayBufferObject>();
    }

-    if (oldBuffer->isNeutered()) {
-        JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_TYPED_ARRAY_DETACHED);
-        return false;
-    }
-
    size_t oldByteLength = oldBuffer->byteLength();
    size_t newByteLength;
    if (newByteLengthArg.isUndefined()) {
@ -391,6 +386,11 @@ ArrayBufferObject::fun_transfer(JSContext* cx, unsigned argc, Value* vp)
        newByteLength = size_t(i32);
    }

+    if (oldBuffer->isNeutered()) {
+        JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_TYPED_ARRAY_DETACHED);
+        return false;
+    }
+
    UniquePtr<uint8_t, JS::FreePolicy> newData;
    if (!newByteLength) {
        if (!ArrayBufferObject::neuter(cx, oldBuffer, oldBuffer->contents()))