diff options
author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-06-17 18:37:23 +0000 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-06-17 18:37:23 +0000 |
commit | 3c878b1e3bbb043b22ab032bce1fe111b8062ca9 (patch) | |
tree | aefb6e52600ba4732334f43ada963186825ac6bc | |
parent | 9153838ea299da3bd00767394ff021318c1e0f12 (diff) | |
download | UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.gz UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.lz UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.xz UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.zip |
Convert CopyBoxedOrUnboxedDenseElements to something that doesn't crash.
-rw-r--r-- | js/src/jit/BaselineIC.cpp | 14 | ||||
-rw-r--r-- | js/src/jsarray.cpp | 24 | ||||
-rw-r--r-- | js/src/vm/UnboxedObject-inl.h | 18 |
3 files changed, 33 insertions, 23 deletions
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp index 2b0822655..17fdb1807 100644 --- a/js/src/jit/BaselineIC.cpp +++ b/js/src/jit/BaselineIC.cpp @@ -5769,8 +5769,18 @@ CopyArray(JSContext* cx, HandleArrayObject arr, MutableHandleValue result) if (!nobj) return false; EnsureArrayGroupAnalyzed(cx, nobj); //XXX - CopyBoxedOrUnboxedDenseElements(cx, nobj, arr, 0, 0, length); - + + MOZ_ASSERT(arr->isNative()); + MOZ_ASSERT(nobj->isNative()); + MOZ_ASSERT(nobj->as<NativeObject>().getDenseInitializedLength() == 0); + MOZ_ASSERT(arr->as<NativeObject>().getDenseInitializedLength() >= length); + MOZ_ASSERT(nobj->as<NativeObject>().getDenseCapacity() >= length); + + nobj->as<NativeObject>().setDenseInitializedLength(length); + + const Value* vp = arr->as<NativeObject>().getDenseElements(); + nobj->as<NativeObject>().initDenseElements(0, vp, length); + result.setObject(*nobj); return true; } diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 7af7c9800..159717fea 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2361,6 +2361,22 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co startingIndex + count <= arr->as<NativeObject>().getDenseInitializedLength(); } +static inline DenseElementResult +CopyDenseElements(JSContext* cx, NativeObject* dst, NativeObject* src, + uint32_t dstStart, uint32_t srcStart, uint32_t length) +{ + MOZ_ASSERT(dst->getDenseInitializedLength() == dstStart); + MOZ_ASSERT(src->getDenseInitializedLength() >= srcStart + length); + MOZ_ASSERT(dst->getDenseCapacity() >= dstStart + length); + + dst->setDenseInitializedLength(dstStart + length); + + const Value* vp = src->getDenseElements() + srcStart; + dst->initDenseElements(dstStart, vp, length); + + return DenseElementResult::Success; +} + /* ES 2016 draft Mar 25, 2016 22.1.3.26. */ bool js::array_splice(JSContext* cx, unsigned argc, Value* vp) @@ -2459,7 +2475,9 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI /* Steps 10-11. */ DebugOnly<DenseElementResult> result = - CopyBoxedOrUnboxedDenseElements(cx, arr, obj, 0, actualStart, actualDeleteCount); + CopyDenseElements(cx, &arr->as<NativeObject>(), + &obj->as<NativeObject>(), 0, + actualStart, actualDeleteCount); MOZ_ASSERT(result.value == DenseElementResult::Success); /* Step 12 (implicit). */ @@ -2827,7 +2845,7 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be if (count) { DebugOnly<DenseElementResult> result = - CopyBoxedOrUnboxedDenseElements(cx, narr, obj, 0, begin, count); + CopyDenseElements(cx, &narr->as<NativeObject>(), &obj->as<NativeObject>(), 0, begin, count); MOZ_ASSERT(result.value == DenseElementResult::Success); } arr.set(narr); @@ -2968,7 +2986,7 @@ ArraySliceDenseKernel(JSContext* cx, ArrayObject* arr, int32_t beginArg, int32_t if (count) { if (!result->ensureElements(cx, count)) return false; - CopyBoxedOrUnboxedDenseElements(cx, result, arr, 0, begin, count); + CopyDenseElements(cx, &result->as<NativeObject>(), &arr->as<NativeObject>(), 0, begin, count); } } diff --git a/js/src/vm/UnboxedObject-inl.h b/js/src/vm/UnboxedObject-inl.h index 711a064f2..069527141 100644 --- a/js/src/vm/UnboxedObject-inl.h +++ b/js/src/vm/UnboxedObject-inl.h @@ -226,24 +226,6 @@ MoveBoxedOrUnboxedDenseElements(JSContext* cx, JSObject* obj, uint32_t dstStart, return DenseElementResult::Success; } -static inline DenseElementResult -CopyBoxedOrUnboxedDenseElements(JSContext* cx, JSObject* dst, JSObject* src, - uint32_t dstStart, uint32_t srcStart, uint32_t length) -{ - MOZ_ASSERT(src->isNative()); - MOZ_ASSERT(dst->isNative()); - MOZ_ASSERT(dst->as<NativeObject>().getDenseInitializedLength() == dstStart); - MOZ_ASSERT(src->as<NativeObject>().getDenseInitializedLength() >= srcStart + length); - MOZ_ASSERT(dst->as<NativeObject>().getDenseCapacity() >= dstStart + length); - - dst->as<NativeObject>().setDenseInitializedLength(dstStart + length); - - const Value* vp = src->as<NativeObject>().getDenseElements() + srcStart; - dst->as<NativeObject>().initDenseElements(dstStart, vp, length); - - return DenseElementResult::Success; -} - } // namespace js #endif // vm_UnboxedObject_inl_h |