Bug 1329187 - Call GetPrototypeFromConstructor before checking the ArrayBuffer length. r=evilpie

--HG-- extra : rebase_source : 1012281bfb8d2c6ed4fc4028a0c683aeb90c81e4
2017-01-11 14:08:00 -08:00 · 2017-01-11 14:08:00 -08:00 · 69b9b9f2ec
--- a/js/src/tests/test262/built-ins/ArrayBuffer/data-allocation-after-object-creation.js
+++ b/js/src/tests/test262/built-ins/ArrayBuffer/data-allocation-after-object-creation.js
@ -0,0 +1,38 @@
+// Copyright (C) 2015 André Bargull. All rights reserved.
+// This code is governed by the BSD license found in the LICENSE file.
+
+/*---
+es6id: 24.1.2.1
+description: >
+  The new ArrayBuffer instance is created prior to allocating the Data Block.
+info: >
+  ArrayBuffer( length )
+
+  ...
+  6. Return AllocateArrayBuffer(NewTarget, byteLength).
+
+  AllocateArrayBuffer( constructor, byteLength )
+    1. Let obj be OrdinaryCreateFromConstructor(constructor, "%ArrayBufferPrototype%",
+       «[[ArrayBufferData]], [[ArrayBufferByteLength]]» ).
+    2. ReturnIfAbrupt(obj).
+    ...
+    4. Let block be CreateByteDataBlock(byteLength).
+    5. ReturnIfAbrupt(block).
+    ...
+features: [Reflect.construct]
+---*/
+
+function DummyError() { }
+
+var newTarget = function(){}.bind(null);
+Object.defineProperty(newTarget, "prototype", {
+  get: function() {
+    throw new DummyError();
+  }
+});
+
+assert.throws(DummyError, function() {
+  // Allocating 7 PiB should fail with a RangeError.
+  // Math.pow(1024, 5) = 1125899906842624
+  Reflect.construct(ArrayBuffer, [7 * 1125899906842624], newTarget);
+});
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@ -280,18 +280,21 @@ ArrayBufferObject::class_constructor(JSContext* cx, unsigned argc, Value* vp)
    if (!ToIndex(cx, args.get(0), &byteLength))
        return false;

-    // Non-standard: Refuse to allocate buffers larger than ~2 GiB.
-    if (byteLength > INT32_MAX) {
-        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BAD_ARRAY_LENGTH);
-        return false;
-    }
-
-    // Step 3.
+    // Step 3 (Inlined 24.1.1.1 AllocateArrayBuffer).
+    // 24.1.1.1, step 1 (Inlined 9.1.14 OrdinaryCreateFromConstructor).
    RootedObject proto(cx);
    RootedObject newTarget(cx, &args.newTarget().toObject());
    if (!GetPrototypeFromConstructor(cx, newTarget, &proto))
        return false;

+    // 24.1.1.1, step 3 (Inlined 6.2.6.1 CreateByteDataBlock, step 2).
+    // Refuse to allocate too large buffers, currently limited to ~2 GiB.
+    if (byteLength > INT32_MAX) {
+        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_BAD_ARRAY_LENGTH);
+        return false;
+    }
+
+    // 24.1.1.1, steps 1 and 4-6.
    JSObject* bufobj = create(cx, uint32_t(byteLength), proto);
    if (!bufobj)
        return false;