From 04d7209dc0215b28d3577c09c1289639f71c4d66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= Date: Wed, 19 Oct 2016 20:34:38 +0200 Subject: [PATCH] Bug 1310744: Allow MoveBoxedOrUnboxedDenseElements to bail out if the elements are frozen. r=nbp MozReview-Commit-ID: EXhw8FkcNnu --HG-- extra : rebase_source : 157628abbb16c618e9f451381510813b5535fb00 --- js/src/jsarray.cpp | 5 ++--- js/src/vm/UnboxedObject-inl.h | 3 +++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 260f0c4b4595..c341344a23d8 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2203,9 +2203,8 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) rval.setUndefined(); DenseElementResult result = MoveBoxedOrUnboxedDenseElements(cx, obj, 0, 1, initlen - 1); - MOZ_ASSERT(result != DenseElementResult::Incomplete); - if (result == DenseElementResult::Failure) - return DenseElementResult::Failure; + if (result != DenseElementResult::Success) + return result; SetBoxedOrUnboxedInitializedLength(cx, obj, initlen - 1); return DenseElementResult::Success; diff --git a/js/src/vm/UnboxedObject-inl.h b/js/src/vm/UnboxedObject-inl.h index e7fa81201869..7e735c357281 100644 --- a/js/src/vm/UnboxedObject-inl.h +++ b/js/src/vm/UnboxedObject-inl.h @@ -561,6 +561,9 @@ MoveBoxedOrUnboxedDenseElements(JSContext* cx, JSObject* obj, uint32_t dstStart, MOZ_ASSERT(HasBoxedOrUnboxedDenseElements(obj)); if (Type == JSVAL_TYPE_MAGIC) { + if (obj->as().denseElementsAreFrozen()) + return DenseElementResult::Incomplete; + if (!obj->as().maybeCopyElementsForWrite(cx)) return DenseElementResult::Failure; obj->as().moveDenseElements(dstStart, srcStart, length);