Bug 1082649 - Check for neutered typed objects before accessing their byte offset, r=nmatsakis.

js/src/builtin/TypedObject.js

@@ -556,6 +556,9 @@ function StorageOfTypedObject(obj) {
       return null;
 
     if (ObjectIsTransparentTypedObject(obj)) {
+      if (!TypedObjectIsAttached(obj))
+          ThrowError(JSMSG_TYPEDOBJECT_HANDLE_UNATTACHED);
+
       var descr = TypedObjectTypeDescr(obj);
       var byteLength;
       if (DESCR_KIND(descr) == JS_TYPEREPR_UNSIZED_ARRAY_KIND)
@@ -1144,6 +1147,9 @@ function MapTypedParImplDepth1(inArray, inArrayType, outArrayType, func) {
   assert(IsObject(inArray) && ObjectIsTypedObject(inArray),
          "DoMapTypedParDepth1: invalid inArray");
 
+  if (!TypedObjectIsAttached(inArray))
+    ThrowError(JSMSG_TYPEDOBJECT_HANDLE_UNATTACHED);
+
   // Determine the grain types of the input and output.
   const inGrainType = inArrayType.elementType;
   const outGrainType = outArrayType.elementType;

js/src/jit-test/tests/TypedObject/bug1082649.js

@@ -0,0 +1,16 @@
+if (typeof TypedObject === "undefined")
+  quit();
+
+var {StructType, uint32, storage} = TypedObject;
+var S = new StructType({f: uint32, g: uint32});
+function main(variant) {
+  var s = new S({f: 22, g: 44});
+  neuter(storage(s).buffer, variant);
+  print(storage(s).byteOffset);
+}
+try {
+    main("same-data");
+    assertEq(true, false);
+} catch (e) {
+    assertEq(e instanceof TypeError, true);
+}