From 921ebacd55840b0a168b146db82c58a4eeae67da Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 18 Aug 2015 16:03:31 +0200
Subject: [PATCH] Bug 1195208 - Fix ArrayBuffer.transfer isNeutered check.
 r=luke

--HG--
extra : rebase_source : 704ebdcf2c0c7b1e85c492eb0cfbde85804a212a
---
 js/src/jit-test/tests/basic/testArrayBufferTransfer.js |  4 ++++
 js/src/vm/ArrayBufferObject.cpp                        | 10 +++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/js/src/jit-test/tests/basic/testArrayBufferTransfer.js b/js/src/jit-test/tests/basic/testArrayBufferTransfer.js
index 4c17dcf3c05d..9a68ed75153a 100644
--- a/js/src/jit-test/tests/basic/testArrayBufferTransfer.js
+++ b/js/src/jit-test/tests/basic/testArrayBufferTransfer.js
@@ -36,6 +36,10 @@ assertEq(buf.byteLength, 0);
 buf = XF(buf, Math.pow(2,32) + 10);
 assertEq(buf.byteLength, 10);
 
+assertThrowsInstanceOf(()=>XF(buf, {valueOf() { neuter(buf, "change-data"); return 10; }}), TypeError);
+var buf = new ArrayBuffer(100);
+assertThrowsInstanceOf(()=>XF(buf, {valueOf() { ArrayBuffer.transfer(buf, 0); return 100; }}), TypeError);
+
 // on undefined second argument, stay the same size:
 var buf1 = new ArrayBuffer(0);
 var buf2 = XF(buf1);
diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp
index 4f42b3ea95d4..dae69d741d7c 100644
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -371,11 +371,6 @@ ArrayBufferObject::fun_transfer(JSContext* cx, unsigned argc, Value* vp)
         oldBuffer = &unwrapped->as<ArrayBufferObject>();
     }
 
-    if (oldBuffer->isNeutered()) {
-        JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_TYPED_ARRAY_DETACHED);
-        return false;
-    }
-
     size_t oldByteLength = oldBuffer->byteLength();
     size_t newByteLength;
     if (newByteLengthArg.isUndefined()) {
@@ -391,6 +386,11 @@ ArrayBufferObject::fun_transfer(JSContext* cx, unsigned argc, Value* vp)
         newByteLength = size_t(i32);
     }
 
+    if (oldBuffer->isNeutered()) {
+        JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_TYPED_ARRAY_DETACHED);
+        return false;
+    }
+
     UniquePtr<uint8_t, JS::FreePolicy> newData;
     if (!newByteLength) {
         if (!ArrayBufferObject::neuter(cx, oldBuffer, oldBuffer->contents()))