From 6ee510460175a7eaa7df4d206c2f36385fdf4547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= Date: Wed, 19 Oct 2016 19:23:33 +0200 Subject: [PATCH] Bug 1310744: Add missing assertions in NativeObject.h r=nbp MozReview-Commit-ID: BIG3aqxp0q4 --HG-- extra : rebase_source : 655d7d2298a62e305c03f61fd99624300c47dcfb --- js/src/vm/NativeObject-inl.h | 2 ++ js/src/vm/NativeObject.cpp | 3 +++ js/src/vm/NativeObject.h | 9 +++++++++ 3 files changed, 14 insertions(+) diff --git a/js/src/vm/NativeObject-inl.h b/js/src/vm/NativeObject-inl.h index c7f398d6c637..4e87593805ec 100644 --- a/js/src/vm/NativeObject-inl.h +++ b/js/src/vm/NativeObject-inl.h @@ -120,6 +120,7 @@ NativeObject::ensureDenseInitializedLengthNoPackedCheck(ExclusiveContext* cx, ui uint32_t extra) { MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); /* * Ensure that the array's contents have been initialized up to index, and @@ -154,6 +155,7 @@ NativeObject::extendDenseElements(ExclusiveContext* cx, uint32_t requiredCapacity, uint32_t extra) { MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); /* * Don't grow elements for non-extensible objects or watched objects. Dense diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp index 4f3ab1f38804..4b7647a85dbe 100644 --- a/js/src/vm/NativeObject.cpp +++ b/js/src/vm/NativeObject.cpp @@ -95,6 +95,7 @@ ObjectElements::MakeElementsCopyOnWrite(ExclusiveContext* cx, NativeObject* obj) // Note: this method doesn't update type information to indicate that the // elements might be copy on write. Handling this is left to the caller. MOZ_ASSERT(!header->isCopyOnWrite()); + MOZ_ASSERT(!header->isFrozen()); header->flags |= COPY_ON_WRITE; header->ownerObject().init(obj); @@ -798,6 +799,7 @@ NativeObject::growElements(ExclusiveContext* cx, uint32_t reqCapacity) { MOZ_ASSERT(nonProxyIsExtensible()); MOZ_ASSERT(canHaveNonEmptyElements()); + MOZ_ASSERT(!denseElementsAreFrozen()); if (denseElementsAreCopyOnWrite()) MOZ_CRASH(); @@ -892,6 +894,7 @@ NativeObject::shrinkElements(ExclusiveContext* cx, uint32_t reqCapacity) NativeObject::CopyElementsForWrite(ExclusiveContext* cx, NativeObject* obj) { MOZ_ASSERT(obj->denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!obj->denseElementsAreFrozen()); // The original owner of a COW elements array should never be modified. MOZ_ASSERT(obj->getElementsHeader()->ownerObject() != obj); diff --git a/js/src/vm/NativeObject.h b/js/src/vm/NativeObject.h index a676445dfeed..9672f0570174 100644 --- a/js/src/vm/NativeObject.h +++ b/js/src/vm/NativeObject.h @@ -878,6 +878,7 @@ class NativeObject : public ShapedObject void prepareElementRangeForOverwrite(size_t start, size_t end) { MOZ_ASSERT(end <= getDenseInitializedLength()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); for (size_t i = start; i < end; i++) elements_[i].HeapSlot::~HeapSlot(); } @@ -973,6 +974,7 @@ class NativeObject : public ShapedObject /* Accessors for elements. */ bool ensureElements(ExclusiveContext* cx, uint32_t capacity) { MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); if (capacity > getDenseCapacity()) return growElements(cx, capacity); return true; @@ -1018,6 +1020,7 @@ class NativeObject : public ShapedObject void setDenseInitializedLength(uint32_t length) { MOZ_ASSERT(length <= getDenseCapacity()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); prepareElementRangeForOverwrite(length, getElementsHeader()->initializedLength); getElementsHeader()->initializedLength = length; } @@ -1027,12 +1030,14 @@ class NativeObject : public ShapedObject void setDenseElement(uint32_t index, const Value& val) { MOZ_ASSERT(index < getDenseInitializedLength()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); elements_[index].set(this, HeapSlot::Element, index, val); } void initDenseElement(uint32_t index, const Value& val) { MOZ_ASSERT(index < getDenseInitializedLength()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); elements_[index].init(this, HeapSlot::Element, index, val); } @@ -1056,6 +1061,7 @@ class NativeObject : public ShapedObject void copyDenseElements(uint32_t dstStart, const Value* src, uint32_t count) { MOZ_ASSERT(dstStart + count <= getDenseCapacity()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); if (JS::shadow::Zone::asShadowZone(zone())->needsIncrementalBarrier()) { for (uint32_t i = 0; i < count; ++i) elements_[dstStart + i].set(this, HeapSlot::Element, dstStart + i, src[i]); @@ -1068,6 +1074,7 @@ class NativeObject : public ShapedObject void initDenseElements(uint32_t dstStart, const Value* src, uint32_t count) { MOZ_ASSERT(dstStart + count <= getDenseCapacity()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); memcpy(&elements_[dstStart], src, count * sizeof(HeapSlot)); elementsRangeWriteBarrierPost(dstStart, count); } @@ -1076,6 +1083,7 @@ class NativeObject : public ShapedObject MOZ_ASSERT(dstStart + count <= getDenseCapacity()); MOZ_ASSERT(srcStart + count <= getDenseInitializedLength()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); /* * Using memmove here would skip write barriers. Also, we need to consider @@ -1113,6 +1121,7 @@ class NativeObject : public ShapedObject MOZ_ASSERT(dstStart + count <= getDenseCapacity()); MOZ_ASSERT(srcStart + count <= getDenseCapacity()); MOZ_ASSERT(!denseElementsAreCopyOnWrite()); + MOZ_ASSERT(!denseElementsAreFrozen()); memmove(elements_ + dstStart, elements_ + srcStart, count * sizeof(Value)); elementsRangeWriteBarrierPost(dstStart, count);