diff options
author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-06-17 18:37:23 +0000 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-06-17 18:37:23 +0000 |
commit | 3c878b1e3bbb043b22ab032bce1fe111b8062ca9 (patch) | |
tree | aefb6e52600ba4732334f43ada963186825ac6bc /js/src/jit/BaselineIC.cpp | |
parent | 9153838ea299da3bd00767394ff021318c1e0f12 (diff) | |
download | UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.gz UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.lz UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.xz UXP-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.zip |
Convert CopyBoxedOrUnboxedDenseElements to something that doesn't crash.
Diffstat (limited to 'js/src/jit/BaselineIC.cpp')
-rw-r--r-- | js/src/jit/BaselineIC.cpp | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp index 2b0822655..17fdb1807 100644 --- a/js/src/jit/BaselineIC.cpp +++ b/js/src/jit/BaselineIC.cpp @@ -5769,8 +5769,18 @@ CopyArray(JSContext* cx, HandleArrayObject arr, MutableHandleValue result) if (!nobj) return false; EnsureArrayGroupAnalyzed(cx, nobj); //XXX - CopyBoxedOrUnboxedDenseElements(cx, nobj, arr, 0, 0, length); - + + MOZ_ASSERT(arr->isNative()); + MOZ_ASSERT(nobj->isNative()); + MOZ_ASSERT(nobj->as<NativeObject>().getDenseInitializedLength() == 0); + MOZ_ASSERT(arr->as<NativeObject>().getDenseInitializedLength() >= length); + MOZ_ASSERT(nobj->as<NativeObject>().getDenseCapacity() >= length); + + nobj->as<NativeObject>().setDenseInitializedLength(length); + + const Value* vp = arr->as<NativeObject>().getDenseElements(); + nobj->as<NativeObject>().initDenseElements(0, vp, length); + result.setObject(*nobj); return true; } |