Convert CopyBoxedOrUnboxedDenseElements to something that doesn't crash.

author: wolfbeast <mcwerewolf@wolfbeast.com> 2019-06-17 18:37:23 +0000
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2019-06-17 18:37:23 +0000
commit: 3c878b1e3bbb043b22ab032bce1fe111b8062ca9 (patch)
tree: aefb6e52600ba4732334f43ada963186825ac6bc
parent: 9153838ea299da3bd00767394ff021318c1e0f12 (diff)
download: uxp-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.gz
3 files changed, 33 insertions, 23 deletions
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 2b08226556..17fdb18074 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -5769,8 +5769,18 @@ CopyArray(JSContext* cx, HandleArrayObject arr, MutableHandleValue result)
     if (!nobj)
         return false;
     EnsureArrayGroupAnalyzed(cx, nobj); //XXX
-    CopyBoxedOrUnboxedDenseElements(cx, nobj, arr, 0, 0, length);
-
+	
+    MOZ_ASSERT(arr->isNative());
+    MOZ_ASSERT(nobj->isNative());
+    MOZ_ASSERT(nobj->as<NativeObject>().getDenseInitializedLength() == 0);
+    MOZ_ASSERT(arr->as<NativeObject>().getDenseInitializedLength() >= length);
+    MOZ_ASSERT(nobj->as<NativeObject>().getDenseCapacity() >= length);
+
+    nobj->as<NativeObject>().setDenseInitializedLength(length);
+
+    const Value* vp = arr->as<NativeObject>().getDenseElements();
+    nobj->as<NativeObject>().initDenseElements(0, vp, length);
+	
     result.setObject(*nobj);
     return true;
 }
diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index 7af7c98001..159717feac 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2361,6 +2361,22 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co
            startingIndex + count <= arr->as<NativeObject>().getDenseInitializedLength();
 }
 
+static inline DenseElementResult
+CopyDenseElements(JSContext* cx, NativeObject* dst, NativeObject* src,
+                      uint32_t dstStart, uint32_t srcStart, uint32_t length)
+{
+    MOZ_ASSERT(dst->getDenseInitializedLength() == dstStart);
+    MOZ_ASSERT(src->getDenseInitializedLength() >= srcStart + length);
+    MOZ_ASSERT(dst->getDenseCapacity() >= dstStart + length);
+
+    dst->setDenseInitializedLength(dstStart + length);
+
+    const Value* vp = src->getDenseElements() + srcStart;
+    dst->initDenseElements(dstStart, vp, length);
+
+    return DenseElementResult::Success;
+}
+
 /* ES 2016 draft Mar 25, 2016 22.1.3.26. */
 bool
 js::array_splice(JSContext* cx, unsigned argc, Value* vp)
@@ -2459,7 +2475,9 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI
 
                 /* Steps 10-11. */
                 DebugOnly<DenseElementResult> result =
-                    CopyBoxedOrUnboxedDenseElements(cx, arr, obj, 0, actualStart, actualDeleteCount);
+                    CopyDenseElements(cx, &arr->as<NativeObject>(), 
+					                  &obj->as<NativeObject>(), 0, 
+									  actualStart, actualDeleteCount);
                 MOZ_ASSERT(result.value == DenseElementResult::Success);
 
                 /* Step 12 (implicit). */
@@ -2827,7 +2845,7 @@ ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint32_t length, uint32_t be
 
         if (count) {
             DebugOnly<DenseElementResult> result =
-                CopyBoxedOrUnboxedDenseElements(cx, narr, obj, 0, begin, count);
+                CopyDenseElements(cx, &narr->as<NativeObject>(), &obj->as<NativeObject>(), 0, begin, count);
             MOZ_ASSERT(result.value == DenseElementResult::Success);
         }
         arr.set(narr);
@@ -2968,7 +2986,7 @@ ArraySliceDenseKernel(JSContext* cx, ArrayObject* arr, int32_t beginArg, int32_t
         if (count) {
             if (!result->ensureElements(cx, count))
                 return false;
-            CopyBoxedOrUnboxedDenseElements(cx, result, arr, 0, begin, count);
+            CopyDenseElements(cx, &result->as<NativeObject>(), &arr->as<NativeObject>(), 0, begin, count);
         }
     }
 
diff --git a/js/src/vm/UnboxedObject-inl.h b/js/src/vm/UnboxedObject-inl.h
index 711a064f27..0695271417 100644
--- a/js/src/vm/UnboxedObject-inl.h
+++ b/js/src/vm/UnboxedObject-inl.h
@@ -226,24 +226,6 @@ MoveBoxedOrUnboxedDenseElements(JSContext* cx, JSObject* obj, uint32_t dstStart,
     return DenseElementResult::Success;
 }
 
-static inline DenseElementResult
-CopyBoxedOrUnboxedDenseElements(JSContext* cx, JSObject* dst, JSObject* src,
-                                uint32_t dstStart, uint32_t srcStart, uint32_t length)
-{
-    MOZ_ASSERT(src->isNative());
-    MOZ_ASSERT(dst->isNative());
-    MOZ_ASSERT(dst->as<NativeObject>().getDenseInitializedLength() == dstStart);
-    MOZ_ASSERT(src->as<NativeObject>().getDenseInitializedLength() >= srcStart + length);
-    MOZ_ASSERT(dst->as<NativeObject>().getDenseCapacity() >= dstStart + length);
-
-    dst->as<NativeObject>().setDenseInitializedLength(dstStart + length);
-
-    const Value* vp = src->as<NativeObject>().getDenseElements() + srcStart;
-    dst->as<NativeObject>().initDenseElements(dstStart, vp, length);
-
-    return DenseElementResult::Success;
-}
-
 } // namespace js
 
 #endif // vm_UnboxedObject_inl_h
author	wolfbeast <mcwerewolf@wolfbeast.com>	2019-06-17 18:37:23 +0000
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2019-06-17 18:37:23 +0000
commit	3c878b1e3bbb043b22ab032bce1fe111b8062ca9 (patch)
tree	aefb6e52600ba4732334f43ada963186825ac6bc
parent	9153838ea299da3bd00767394ff021318c1e0f12 (diff)
download	uxp-3c878b1e3bbb043b22ab032bce1fe111b8062ca9.tar.gz