Closed
Bug 1231924
Opened 9 years ago
Closed 9 years ago
TypedArray: assert INT32_MAX
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: lth, Assigned: lth)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
2.26 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
See bug 1176214 comment 76 and nearby:
--- 8>< ----------------------------------------------
> > > ::: js/src/jsfriendapi.h
> > > @@ +1211,5 @@
> > > if (bufSlot.isObject()) {
> > > + if (IsArrayBuffer(&bufSlot.toObject())) {
> > > + ArrayBufferObject& buf = AsArrayBuffer(MaybeForwarded(&bufSlot.toObject()));
> > > + int32_t offset = obj->getReservedSlot(TypedArrayObject::BYTEOFFSET_SLOT).toInt32();
> > > + MOZ_ASSERT(buf.dataPointer() != nullptr);
> >
> > Assert offset >= 0?
>
> Looking at code elsewhere, the correct type here is uint32_t, so I went that
> way instead.
Fair enough, but we should assert <= INT32_MAX, then, to detect the negative-number case. (Typed array offsets/lengths/etc. all are int32_t-limited, precisely because of their being shoved into Values in reserved slots.)
--- 8>< ----------------------------------------------
Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8734396 -
Flags: review?(jwalden+bmo)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Updated•9 years ago
|
Attachment #8734396 -
Flags: review?(jwalden+bmo) → review+
![]() |
||
Comment 2•9 years ago
|
||
Landed with the wrong number yesterday.
https://hg.mozilla.org/mozilla-central/rev/fa65591762ba
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•