From ec813f7f4bb1e3f51dbd07ba13a8e76f960d92f6 Mon Sep 17 00:00:00 2001
From: Nicholas Nethercote <nnethercote@mozilla.com>
Date: Tue, 12 Jul 2011 15:44:22 +1000
Subject: [PATCH] Bug 669005 - Fix ArrayBuffer so its slots are reported by the
 "gc-heap/object-slots" reporters.  r=jwalden.

---
 js/src/jsobj.h          | 12 ++++++++----
 js/src/jstypedarray.cpp | 16 ++++++++++++----
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/js/src/jsobj.h b/js/src/jsobj.h
index f955c3382d89..9bc92ae9cb38 100644
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@@ -305,9 +305,12 @@ class ValidateWriter;
  * The slots member is a pointer to the slot vector for the object.
  * This can be either a fixed array allocated immediately after the object,
  * or a dynamically allocated array.  A dynamic array can be tested for with
- * hasSlotsArray().  In all cases, capacity gives the number of usable slots.
- * Two objects with the same shape have the same number of fixed slots,
- * and either both have or neither have dynamically allocated slot arrays.
+ * hasSlotsArray().  In all cases but one, capacity gives the number of usable
+ * slots. The exception is for ArrayBuffer where capacity gives the number of
+ * whole slots in the slots array (which includes one word for the array's
+ * length); there may be a fraction of a slot left over at the end.
+ * Two objects with the same shape have the same number of fixed slots, and
+ * either both have or neither have dynamically allocated slot arrays.
  *
  * If you change this struct, you'll probably need to change the AccSet values
  * in jsbuiltins.h.
@@ -386,7 +389,8 @@ struct JSObject : js::gc::Cell {
     JSObject    *proto;                     /* object's prototype */
     JSObject    *parent;                    /* object's parent */
     void        *privateData;               /* private data */
-    jsuword     capacity;                   /* capacity of slots */
+    jsuword     capacity;                   /* number of slots; for ArrayBuffer the number 
+                                               may be be non-integral, so this may underestimate */
     js::Value   *slots;                     /* dynamically allocated slots,
                                                or pointer to fixedSlots() */
 
diff --git a/js/src/jstypedarray.cpp b/js/src/jstypedarray.cpp
index d4a545fa3414..779f74dfa811 100644
--- a/js/src/jstypedarray.cpp
+++ b/js/src/jstypedarray.cpp
@@ -152,11 +152,19 @@ ArrayBuffer::class_constructor(JSContext *cx, uintN argc, Value *vp)
 static inline JSBool
 AllocateSlots(JSContext *cx, JSObject *obj, uint32 size)
 {
-    uint32 bytes = size + sizeof(js::Value);
-    if (size > sizeof(js::Value) * ARRAYBUFFER_RESERVED_SLOTS - sizeof(js::Value) ) {
-        obj->slots = (js::Value *)cx->calloc_(bytes);
-        if (!obj->slots)
+    uint32 bytes = size + sizeof(Value);
+    if (size > sizeof(Value) * ARRAYBUFFER_RESERVED_SLOTS - sizeof(Value) ) {
+        JS_ASSERT(!obj->hasSlotsArray());
+        Value *tmpslots = (Value *)cx->calloc_(bytes);
+        if (!tmpslots)
             return false;
+        obj->slots = tmpslots;
+        /*
+         * Note that |bytes| may not be a multiple of |sizeof(Value)|, so
+         * |capacity * sizeof(Value)| may underestimate the size by up to
+         * |sizeof(Value) - 1| bytes.
+         */
+        obj->capacity = bytes / sizeof(Value);
     } else {
         memset(obj->slots, 0, bytes);
     }