Bug 984766 - Don't give extra fixed slots to array buffer objects with inline storage, r=sfink.

2014-03-18 19:04:22 -06:00 · 2014-03-18 19:04:22 -06:00 · 2fd266b0a1
--- a/js/src/jit-test/tests/basic/bug984766.js
+++ b/js/src/jit-test/tests/basic/bug984766.js
@ -0,0 +1,7 @@
+
+for (var i = 0; i < 10; i++) {
+  x = ArrayBuffer(4)
+  x.f = (function() {})
+  Uint16Array(x).set(JSON.parse)
+  gcslice()
+}
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -1253,8 +1253,20 @@ NewObject(ExclusiveContext *cx, types::TypeObject *type_, JSObject *parent, gc::
    if (!NewObjectMetadata(cx, &metadata))
        return nullptr;

+    // Normally, the number of fixed slots given an object is the maximum
+    // permitted for its size class. For array buffers we only use enough to
+    // cover the class reservd slots, so that the remaining space in the
+    // object's allocation is available for the buffer's data.
+    size_t nfixed;
+    if (clasp == &ArrayBufferObject::class_) {
+        JS_STATIC_ASSERT(ArrayBufferObject::RESERVED_SLOTS == 4);
+        nfixed = ArrayBufferObject::RESERVED_SLOTS;
+    } else {
+        nfixed = GetGCKindSlots(kind, clasp);
+    }
+
    RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, type->proto(),
-                                                      parent, metadata, kind));
+                                                      parent, metadata, nfixed));
    if (!shape)
        return nullptr;

--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@ -504,7 +504,8 @@ JSObject::create(js::ExclusiveContext *cx, js::gc::AllocKind kind, js::gc::Initi
    JS_ASSERT(shape && type);
    JS_ASSERT(type->clasp() == shape->getObjectClass());
    JS_ASSERT(type->clasp() != &js::ArrayObject::class_);
-    JS_ASSERT(js::gc::GetGCKindSlots(kind, type->clasp()) == shape->numFixedSlots());
+    JS_ASSERT_IF(type->clasp() != &js::ArrayBufferObject::class_,
+                 js::gc::GetGCKindSlots(kind, type->clasp()) == shape->numFixedSlots());
    JS_ASSERT_IF(type->clasp()->flags & JSCLASS_BACKGROUND_FINALIZE, IsBackgroundFinalized(kind));
    JS_ASSERT_IF(type->clasp()->finalize, heap == js::gc::TenuredHeap);

--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@ -582,6 +582,8 @@ ArrayBufferObject::create(JSContext *cx, uint32_t nbytes, void *data /* = nullpt
 {
    // If we need to allocate data, try to use a larger object size class so
    // that the array buffer's data can be allocated inline with the object.
+    // The extra space will be left unused by the object's fixed slots and
+    // available for the buffer's data, see NewObject().
    size_t reservedSlots = JSCLASS_RESERVED_SLOTS(&class_);

    size_t nslots = reservedSlots;