From 7c2f5c45026172552140d2764163290f6e3f1e21 Mon Sep 17 00:00:00 2001 From: Jon Coppeard Date: Mon, 26 Jun 2017 20:15:41 -0400 Subject: [PATCH] Bug 1369994 - Ensure template objects for typed arrays are initialized properly before exposing them to GC r=jandem a=abillings --- js/src/vm/TypedArrayObject.cpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp index 64c6116f37e0..b0610ceda20c 100644 --- a/js/src/vm/TypedArrayObject.cpp +++ b/js/src/vm/TypedArrayObject.cpp @@ -575,16 +575,11 @@ class TypedArrayObjectTemplate : public TypedArrayObject RootedScript script(cx, cx->currentScript(&pc)); if (script && ObjectGroup::useSingletonForAllocationSite(script, pc, clasp)) newKind = SingletonObject; - RootedObject tmp(cx, NewBuiltinClassInstance(cx, clasp, allocKind, newKind)); + JSObject* tmp = NewBuiltinClassInstance(cx, clasp, allocKind, newKind); if (!tmp) return nullptr; - if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tmp, - newKind == SingletonObject)) - { - return nullptr; - } - TypedArrayObject* tarray = &tmp->as(); + Rooted tarray(cx, &tmp->as()); initTypedArraySlots(cx, tarray, len); // Template objects do not need memory for its elements, since there @@ -592,6 +587,12 @@ class TypedArrayObjectTemplate : public TypedArrayObject // nullptr and avoid allocating memory that will never be used. tarray->initPrivate(nullptr); + if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tarray, + newKind == SingletonObject)) + { + return nullptr; + } + return tarray; }