Closed Bug 1231924 Opened 9 years ago Closed 9 years ago

TypedArray: assert INT32_MAX

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: lth, Assigned: lth)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

See bug 1176214 comment 76 and nearby: --- 8>< ---------------------------------------------- > > > ::: js/src/jsfriendapi.h > > > @@ +1211,5 @@ > > > if (bufSlot.isObject()) { > > > + if (IsArrayBuffer(&bufSlot.toObject())) { > > > + ArrayBufferObject& buf = AsArrayBuffer(MaybeForwarded(&bufSlot.toObject())); > > > + int32_t offset = obj->getReservedSlot(TypedArrayObject::BYTEOFFSET_SLOT).toInt32(); > > > + MOZ_ASSERT(buf.dataPointer() != nullptr); > > > > Assert offset >= 0? > > Looking at code elsewhere, the correct type here is uint32_t, so I went that > way instead. Fair enough, but we should assert <= INT32_MAX, then, to detect the negative-number case. (Typed array offsets/lengths/etc. all are int32_t-limited, precisely because of their being shoved into Values in reserved slots.) --- 8>< ----------------------------------------------
Attachment #8734396 - Flags: review?(jwalden+bmo)
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Attachment #8734396 - Flags: review?(jwalden+bmo) → review+
Landed with the wrong number yesterday. https://hg.mozilla.org/mozilla-central/rev/fa65591762ba
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: