Bug 1369994 - Ensure template objects for typed arrays are initialized properly before exposing them to GC r=jandem a=abillings

2017-06-26 20:15:41 -04:00 · 2017-06-26 20:15:41 -04:00 · 7c2f5c4502
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@ -575,16 +575,11 @@ class TypedArrayObjectTemplate : public TypedArrayObject
        RootedScript script(cx, cx->currentScript(&pc));
        if (script && ObjectGroup::useSingletonForAllocationSite(script, pc, clasp))
            newKind = SingletonObject;
-        RootedObject tmp(cx, NewBuiltinClassInstance(cx, clasp, allocKind, newKind));
+        JSObject* tmp = NewBuiltinClassInstance(cx, clasp, allocKind, newKind);
        if (!tmp)
            return nullptr;
-        if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tmp,
-                                                                 newKind == SingletonObject))
-        {
-            return nullptr;
-        }

-        TypedArrayObject* tarray = &tmp->as<TypedArrayObject>();
+        Rooted<TypedArrayObject*> tarray(cx, &tmp->as<TypedArrayObject>());
        initTypedArraySlots(cx, tarray, len);

        // Template objects do not need memory for its elements, since there
@ -592,6 +587,12 @@ class TypedArrayObjectTemplate : public TypedArrayObject
        // nullptr and avoid allocating memory that will never be used.
        tarray->initPrivate(nullptr);

+        if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tarray,
+                                                                 newKind == SingletonObject))
+        {
+            return nullptr;
+        }
+
        return tarray;
    }