mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 11:25:00 +00:00
Bug 1082649 - Check for neutered typed objects before accessing their byte offset, r=nmatsakis.
This commit is contained in:
parent
eac7e8e4cb
commit
a0c5f54031
@ -556,6 +556,9 @@ function StorageOfTypedObject(obj) {
|
||||
return null;
|
||||
|
||||
if (ObjectIsTransparentTypedObject(obj)) {
|
||||
if (!TypedObjectIsAttached(obj))
|
||||
ThrowError(JSMSG_TYPEDOBJECT_HANDLE_UNATTACHED);
|
||||
|
||||
var descr = TypedObjectTypeDescr(obj);
|
||||
var byteLength;
|
||||
if (DESCR_KIND(descr) == JS_TYPEREPR_UNSIZED_ARRAY_KIND)
|
||||
@ -1144,6 +1147,9 @@ function MapTypedParImplDepth1(inArray, inArrayType, outArrayType, func) {
|
||||
assert(IsObject(inArray) && ObjectIsTypedObject(inArray),
|
||||
"DoMapTypedParDepth1: invalid inArray");
|
||||
|
||||
if (!TypedObjectIsAttached(inArray))
|
||||
ThrowError(JSMSG_TYPEDOBJECT_HANDLE_UNATTACHED);
|
||||
|
||||
// Determine the grain types of the input and output.
|
||||
const inGrainType = inArrayType.elementType;
|
||||
const outGrainType = outArrayType.elementType;
|
||||
|
16
js/src/jit-test/tests/TypedObject/bug1082649.js
Normal file
16
js/src/jit-test/tests/TypedObject/bug1082649.js
Normal file
@ -0,0 +1,16 @@
|
||||
if (typeof TypedObject === "undefined")
|
||||
quit();
|
||||
|
||||
var {StructType, uint32, storage} = TypedObject;
|
||||
var S = new StructType({f: uint32, g: uint32});
|
||||
function main(variant) {
|
||||
var s = new S({f: 22, g: 44});
|
||||
neuter(storage(s).buffer, variant);
|
||||
print(storage(s).byteOffset);
|
||||
}
|
||||
try {
|
||||
main("same-data");
|
||||
assertEq(true, false);
|
||||
} catch (e) {
|
||||
assertEq(e instanceof TypeError, true);
|
||||
}
|
Loading…
Reference in New Issue
Block a user