From 42e01bc427dea7735c18ac771928781b66c5e96c Mon Sep 17 00:00:00 2001 From: Wes Kocher Date: Wed, 12 Mar 2014 14:27:13 -0700 Subject: [PATCH] Backed out changeset 6dc60397b3a1 (bug 976530) --- js/src/builtin/TypeRepresentation.cpp | 10 +++++----- js/src/jit-test/tests/TypedObject/bug976530.js | 10 ---------- js/src/vm/ArrayBufferObject.cpp | 1 - 3 files changed, 5 insertions(+), 16 deletions(-) delete mode 100644 js/src/jit-test/tests/TypedObject/bug976530.js diff --git a/js/src/builtin/TypeRepresentation.cpp b/js/src/builtin/TypeRepresentation.cpp index 69c7863dee59..786eb5a6061d 100644 --- a/js/src/builtin/TypeRepresentation.cpp +++ b/js/src/builtin/TypeRepresentation.cpp @@ -309,9 +309,9 @@ StructTypeRepresentation::init(JSContext *cx, // We compute alignment into the field `align_` directly in the // loop below, but not `size_` because we have to very careful - // about overflow. For now, we always use an int32_t for + // about overflow. For now, we always use a uint32_t for // consistency across build environments. - int32_t totalSize = 0; + uint32_t totalSize = 0; // These will be adjusted in the loop below: alignment_ = 1; @@ -324,7 +324,7 @@ StructTypeRepresentation::init(JSContext *cx, if (fieldTypeRepr->opaque()) opaque_ = true; - int32_t alignedSize = alignTo(totalSize, fieldTypeRepr->alignment()); + uint32_t alignedSize = alignTo(totalSize, fieldTypeRepr->alignment()); if (alignedSize < totalSize) { JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_TYPEDOBJECT_TOO_BIG); @@ -335,7 +335,7 @@ StructTypeRepresentation::init(JSContext *cx, fieldTypeRepr, alignedSize); alignment_ = js::Max(alignment_, fieldTypeRepr->alignment()); - int32_t incrementedSize = alignedSize + fieldTypeRepr->size(); + uint32_t incrementedSize = alignedSize + fieldTypeRepr->size(); if (incrementedSize < alignedSize) { JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_TYPEDOBJECT_TOO_BIG); @@ -345,7 +345,7 @@ StructTypeRepresentation::init(JSContext *cx, totalSize = incrementedSize; } - int32_t alignedSize = alignTo(totalSize, alignment_); + uint32_t alignedSize = alignTo(totalSize, alignment_); if (alignedSize < totalSize) { JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_TYPEDOBJECT_TOO_BIG); diff --git a/js/src/jit-test/tests/TypedObject/bug976530.js b/js/src/jit-test/tests/TypedObject/bug976530.js deleted file mode 100644 index 2acb267081df..000000000000 --- a/js/src/jit-test/tests/TypedObject/bug976530.js +++ /dev/null @@ -1,10 +0,0 @@ -// |jit-test| error:Error - -// Test that we don't permit structs whose fields exceed 32 bits. Public domain. - -if (!this.hasOwnProperty("TypedObject")) - throw new Error(); - -var Vec3u16Type = TypedObject.uint16.array((1073741823)); -var PairVec3u16Type = new TypedObject.StructType({ fst: Vec3u16Type, snd: Vec3u16Type }); -new PairVec3u16Type(); diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp index 4f602e7b8672..fe52c3436ef5 100644 --- a/js/src/vm/ArrayBufferObject.cpp +++ b/js/src/vm/ArrayBufferObject.cpp @@ -303,7 +303,6 @@ static ObjectElements * AllocateArrayBufferContents(JSContext *maybecx, uint32_t nbytes, void *oldptr = nullptr) { uint32_t size = nbytes + sizeof(ObjectElements); - JS_ASSERT(size > nbytes); // be wary of rollover ObjectElements *newheader; // if oldptr is given, then we need to do a realloc