mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 979480 - Don't store array buffer contents in elements, r=sfink.

This commit is contained in:
Brian Hackett 2014-03-17 11:46:04 -06:00
Родитель 1e250fb46a
Коммит c39fd409c3
25 изменённых файлов: 500 добавлений и 1058 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

17
content/base/src/nsXMLHttpRequest.cpp
Просмотреть файл

@ -3817,8 +3817,7 @@ nsXMLHttpRequestXPCOMifier::GetInterface(const nsIID & aIID, void **aResult)
namespace mozilla {
ArrayBufferBuilder::ArrayBufferBuilder()
: mRawContents(nullptr),
mDataPtr(nullptr),
: mDataPtr(nullptr),
mCapacity(0),
mLength(0)
{
@ -3832,20 +3831,22 @@ ArrayBufferBuilder::~ArrayBufferBuilder()
void
ArrayBufferBuilder::reset()
{
if (mRawContents) {
JS_free(nullptr, mRawContents);
if (mDataPtr) {
JS_free(nullptr, mDataPtr);
}
mRawContents = mDataPtr = nullptr;
mDataPtr = nullptr;
mCapacity = mLength = 0;
}
bool
ArrayBufferBuilder::setCapacity(uint32_t aNewCap)
{
if (!JS_ReallocateArrayBufferContents(nullptr, aNewCap, &mRawContents, &mDataPtr)) {
uint8_t *newdata = (uint8_t *) JS_ReallocateArrayBufferContents(nullptr, aNewCap, mDataPtr, mCapacity);
if (!newdata) {
return false;
}
mDataPtr = newdata;
mCapacity = aNewCap;
if (mLength > aNewCap) {
mLength = aNewCap;
@ -3903,12 +3904,12 @@ ArrayBufferBuilder::getArrayBuffer(JSContext* aCx)
}
}
JSObject* obj = JS_NewArrayBufferWithContents(aCx, mRawContents);
JSObject* obj = JS_NewArrayBufferWithContents(aCx, mLength, mDataPtr);
if (!obj) {
return nullptr;
}
mRawContents = mDataPtr = nullptr;
mDataPtr = nullptr;
mLength = mCapacity = 0;
return obj;

1
content/base/src/nsXMLHttpRequest.h
Просмотреть файл

@ -62,7 +62,6 @@ namespace mozilla {
// or it can be reset explicitly at any point by calling reset().
class ArrayBufferBuilder
{
void* mRawContents;
uint8_t* mDataPtr;
uint32_t mCapacity;
uint32_t mLength;

11
content/media/webaudio/AudioBuffer.cpp
Просмотреть файл

@ -198,12 +198,11 @@ StealJSArrayDataIntoThreadSharedFloatArrayBufferList(JSContext* aJSContext,
for (uint32_t i = 0; i < aJSArrays.Length(); ++i) {
JS::Rooted<JSObject*> arrayBuffer(aJSContext,
JS_GetArrayBufferViewBuffer(aJSArrays[i]));
void* dataToFree = nullptr;
uint8_t* stolenData = nullptr;
if (arrayBuffer &&
JS_StealArrayBufferContents(aJSContext, arrayBuffer, &dataToFree,
&stolenData)) {
result->SetData(i, dataToFree, reinterpret_cast<float*>(stolenData));
uint8_t* stolenData = arrayBuffer
? (uint8_t*) JS_StealArrayBufferContents(aJSContext, arrayBuffer)
: nullptr;
if (stolenData) {
result->SetData(i, stolenData, reinterpret_cast<float*>(stolenData));
} else {
return nullptr;
}

12
js/src/builtin/TypedObject.cpp
Просмотреть файл

@ -1406,7 +1406,6 @@ TypedObject::createUnattachedWithClass(JSContext *cx,
obj->initReservedSlot(JS_TYPEDOBJ_SLOT_BYTELENGTH, Int32Value(0));
obj->initReservedSlot(JS_TYPEDOBJ_SLOT_OWNER, NullValue());
obj->initReservedSlot(JS_TYPEDOBJ_SLOT_NEXT_VIEW, PrivateValue(nullptr));
obj->initReservedSlot(JS_TYPEDOBJ_SLOT_NEXT_BUFFER, PrivateValue(UNSET_BUFFER_LINK));
obj->initReservedSlot(JS_TYPEDOBJ_SLOT_LENGTH, Int32Value(length));
obj->initReservedSlot(JS_TYPEDOBJ_SLOT_TYPE_DESCR, ObjectValue(*type));
@ -1508,7 +1507,7 @@ TypedObject::createZeroed(JSContext *cx,
{
size_t totalSize = descr->as<SizedTypeDescr>().size();
Rooted<ArrayBufferObject*> buffer(cx);
buffer = ArrayBufferObject::create(cx, totalSize, false);
buffer = ArrayBufferObject::create(cx, totalSize);
if (!buffer)
return nullptr;
typeRepr->asSized()->initInstance(cx->runtime(), buffer->dataPointer(), 1);
@ -1529,7 +1528,7 @@ TypedObject::createZeroed(JSContext *cx,
}
Rooted<ArrayBufferObject*> buffer(cx);
buffer = ArrayBufferObject::create(cx, totalSize, false);
buffer = ArrayBufferObject::create(cx, totalSize);
if (!buffer)
return nullptr;
@ -1723,11 +1722,10 @@ TypedObject::obj_defineElement(JSContext *cx, HandleObject obj, uint32_t index,
PropertyOp getter, StrictPropertyOp setter, unsigned attrs)
{
AutoRooterGetterSetter gsRoot(cx, attrs, &getter, &setter);
RootedObject delegate(cx, ArrayBufferDelegate(cx, obj));
if (!delegate)
Rooted<jsid> id(cx);
if (!IndexToId(cx, index, &id))
return false;
return baseops::DefineElement(cx, delegate, index, v, getter, setter, attrs);
return obj_defineGeneric(cx, obj, id, v, getter, setter, attrs);
}
bool

9
js/src/builtin/TypedObjectConstants.h
Просмотреть файл

@ -109,15 +109,14 @@
#define JS_TYPEDOBJ_SLOT_BYTELENGTH 1
#define JS_TYPEDOBJ_SLOT_OWNER 2
#define JS_TYPEDOBJ_SLOT_NEXT_VIEW 3
#define JS_TYPEDOBJ_SLOT_NEXT_BUFFER 4
#define JS_DATAVIEW_SLOTS 5 // Number of slots for data views
#define JS_DATAVIEW_SLOTS 4 // Number of slots for data views
#define JS_TYPEDOBJ_SLOT_LENGTH 5 // Length of array (see (*) below)
#define JS_TYPEDOBJ_SLOT_TYPE_DESCR 6 // For typed objects, type descr
#define JS_TYPEDOBJ_SLOT_LENGTH 4 // Length of array (see (*) below)
#define JS_TYPEDOBJ_SLOT_TYPE_DESCR 5 // For typed objects, type descr
#define JS_TYPEDOBJ_SLOT_DATA 7 // private slot, based on alloc kind
#define JS_TYPEDOBJ_SLOTS 7 // Number of slots for typed objs
#define JS_TYPEDOBJ_SLOTS 6 // Number of slots for typed objs
// (*) The JS_TYPEDOBJ_SLOT_LENGTH slot stores the length for typed objects of
// sized and unsized array type. The slot contains 0 for non-arrays.

39
js/src/gc/Nursery.cpp
Просмотреть файл

@ -278,24 +278,6 @@ js::Nursery::notifyInitialSlots(Cell *cell, HeapSlot *slots)
}
}
void
js::Nursery::notifyNewElements(gc::Cell *cell, ObjectElements *elements)
{
JS_ASSERT(!isInside(elements));
notifyInitialSlots(cell, reinterpret_cast<HeapSlot *>(elements));
}
void
js::Nursery::notifyRemovedElements(gc::Cell *cell, ObjectElements *oldElements)
{
JS_ASSERT(cell);
JS_ASSERT(oldElements);
JS_ASSERT(!isInside(oldElements));
if (isInside(cell))
hugeSlots.remove(reinterpret_cast<HeapSlot *>(oldElements));
}
namespace js {
namespace gc {
@ -620,25 +602,6 @@ js::Nursery::moveElementsToTenured(JSObject *dst, JSObject *src, AllocKind dstKi
return 0;
}
/* ArrayBuffer stores byte-length, not Value count. */
if (src->is<ArrayBufferObject>()) {
size_t nbytes;
if (src->hasDynamicElements()) {
nbytes = sizeof(ObjectElements) + srcHeader->initializedLength;
dstHeader = static_cast<ObjectElements *>(zone->malloc_(nbytes));
if (!dstHeader)
CrashAtUnhandlableOOM("Failed to allocate array buffer elements while tenuring.");
} else {
dst->setFixedElements();
nbytes = GetGCKindSlots(dst->tenuredGetAllocKind()) * sizeof(HeapSlot);
dstHeader = dst->getElementsHeader();
}
js_memcpy(dstHeader, srcHeader, nbytes);
setElementsForwardingPointer(srcHeader, dstHeader, nbytes / sizeof(HeapSlot));
dst->elements = dstHeader->elements();
return src->hasDynamicElements() ? nbytes : 0;
}
size_t nslots = ObjectElements::VALUES_PER_HEADER + srcHeader->capacity;
/* Unlike other objects, Arrays can have fixed elements. */
@ -784,7 +747,7 @@ js::Nursery::collect(JSRuntime *rt, JS::gcreason::Reason reason, TypeObjectList
// Update the array buffer object's view lists.
TIME_START(sweepArrayBufferViewList);
for (CompartmentsIter c(rt, SkipAtoms); !c.done(); c.next()) {
if (c->gcLiveArrayBuffers)
if (!c->gcLiveArrayBuffers.empty())
ArrayBufferObject::sweep(c);
}
TIME_END(sweepArrayBufferViewList);

6
js/src/gc/Nursery.h
Просмотреть файл

@ -106,12 +106,6 @@ class Nursery
/* Add a slots to our tracking list if it is out-of-line. */
void notifyInitialSlots(gc::Cell *cell, HeapSlot *slots);
/* Add elements to our tracking list if it is out-of-line. */
void notifyNewElements(gc::Cell *cell, ObjectElements *elements);
/* Remove elements to our tracking list if it is out-of-line. */
void notifyRemovedElements(gc::Cell *cell, ObjectElements *oldElements);
typedef Vector<types::TypeObject *, 0, SystemAllocPolicy> TypeObjectList;
/*

15
js/src/jsapi-tests/testArrayBuffer.cpp
Просмотреть файл

@ -51,8 +51,7 @@ BEGIN_TEST(testArrayBuffer_bug720949_steal)
CHECK_SAME(v, INT_TO_JSVAL(MAGIC_VALUE_2));
// Steal the contents
void *contents;
CHECK(JS_StealArrayBufferContents(cx, obj, &contents, &data));
void *contents = JS_StealArrayBufferContents(cx, obj);
CHECK(contents != nullptr);
CHECK(data != nullptr);
@ -72,7 +71,7 @@ BEGIN_TEST(testArrayBuffer_bug720949_steal)
CHECK_SAME(v, JSVAL_VOID);
// Transfer to a new ArrayBuffer
JS::RootedObject dst(cx, JS_NewArrayBufferWithContents(cx, contents));
JS::RootedObject dst(cx, JS_NewArrayBufferWithContents(cx, size, contents));
CHECK(JS_IsArrayBufferObject(dst));
data = JS_GetStableArrayBufferData(cx, obj);
@ -105,11 +104,8 @@ BEGIN_TEST(testArrayBuffer_bug720949_viewList)
{
buffer = JS_NewArrayBuffer(cx, 2000);
JS::RootedObject view(cx, JS_NewUint8ArrayWithBuffer(cx, buffer, 0, -1));
void *contents;
uint8_t *data;
CHECK(JS_StealArrayBufferContents(cx, buffer, &contents, &data));
void *contents = JS_StealArrayBufferContents(cx, buffer);
CHECK(contents != nullptr);
CHECK(data != nullptr);
JS_free(nullptr, contents);
GC(cx);
CHECK(isNeutered(view));
@ -133,11 +129,8 @@ BEGIN_TEST(testArrayBuffer_bug720949_viewList)
view2 = JS_NewUint8ArrayWithBuffer(cx, buffer, 1, 200);
// Neuter
void *contents;
uint8_t *data;
CHECK(JS_StealArrayBufferContents(cx, buffer, &contents, &data));
void *contents = JS_StealArrayBufferContents(cx, buffer);
CHECK(contents != nullptr);
CHECK(data != nullptr);
JS_free(nullptr, contents);
CHECK(isNeutered(view1));

37
js/src/jsapi.h
Просмотреть файл

@ -3120,47 +3120,38 @@ JS_PUBLIC_API(void)
JS_SetAllNonReservedSlotsToUndefined(JSContext *cx, JSObject *objArg);
/*
* Create a new array buffer with the given contents, which must have been
* returned by JS_AllocateArrayBufferContents or JS_StealArrayBufferContents.
* The new array buffer takes ownership. After calling this function, do not
* free |contents| or use |contents| from another thread.
* Create a new array buffer with the given contents. The new array buffer
* takes ownership: after calling this function, do not free |contents| or use
* |contents| from another thread.
*/
extern JS_PUBLIC_API(JSObject *)
JS_NewArrayBufferWithContents(JSContext *cx, void *contents);
JS_NewArrayBufferWithContents(JSContext *cx, size_t nbytes, void *contents);
/*
* Steal the contents of the given array buffer. The array buffer has its
* length set to 0 and its contents array cleared. The caller takes ownership
* of |*contents| and must free it or transfer ownership via
* of the return value and must free it or transfer ownership via
* JS_NewArrayBufferWithContents when done using it.
* To free |*contents|, call free().
* A pointer to the buffer's data is returned in |*data|. This pointer can
* be used until |*contents| is freed or has its ownership transferred.
*/
extern JS_PUBLIC_API(bool)
JS_StealArrayBufferContents(JSContext *cx, JS::HandleObject obj, void **contents, uint8_t **data);
extern JS_PUBLIC_API(void *)
JS_StealArrayBufferContents(JSContext *cx, JS::HandleObject obj);
/*
* Allocate memory that may be eventually passed to
* JS_NewArrayBufferWithContents. |maybecx| is optional; if a non-nullptr cx is
* given, it will be used for memory accounting and OOM reporting. |nbytes| is
* the number of payload bytes required. The pointer to pass to
* JS_NewArrayBufferWithContents is returned in |contents|. The pointer to the
* |nbytes| of usable memory is returned in |data|. (*|contents| will contain a
* header before |data|.) The only legal operations on *|contents| are to pass
* it to either JS_NewArrayBufferWithContents or
* JS_ReallocateArrayBufferContents, or free it with js_free or JS_free.
* the number of payload bytes required.
*/
extern JS_PUBLIC_API(bool)
JS_AllocateArrayBufferContents(JSContext *maybecx, uint32_t nbytes, void **contents, uint8_t **data);
extern JS_PUBLIC_API(void *)
JS_AllocateArrayBufferContents(JSContext *maybecx, uint32_t nbytes);
/*
* Reallocate memory allocated by JS_AllocateArrayBufferContents, growing or
* shrinking it as appropriate. The new data pointer will be returned in data.
* If *contents is nullptr, behaves like JS_AllocateArrayBufferContents.
* shrinking it as appropriate. If oldContents is null then this behaves like
* JS_AllocateArrayBufferContents.
*/
extern JS_PUBLIC_API(bool)
JS_ReallocateArrayBufferContents(JSContext *cx, uint32_t nbytes, void **contents, uint8_t **data);
extern JS_PUBLIC_API(void *)
JS_ReallocateArrayBufferContents(JSContext *cx, uint32_t nbytes, void *oldContents, uint32_t oldNbytes);
extern JS_PUBLIC_API(JSIdArray *)
JS_Enumerate(JSContext *cx, JSObject *obj);

1
js/src/jscompartment.cpp
Просмотреть файл

@ -58,7 +58,6 @@ JSCompartment::JSCompartment(Zone *zone, const JS::CompartmentOptions &options =
propertyTree(thisForCtor()),
selfHostingScriptSource(nullptr),
gcIncomingGrayPointers(nullptr),
gcLiveArrayBuffers(nullptr),
gcWeakMapList(nullptr),
debugModeBits(runtime_->debugMode ? DebugFromC : 0),
rngState(0),

4
js/src/jscompartment.h
Просмотреть файл

@ -280,8 +280,8 @@ struct JSCompartment
*/
JSObject *gcIncomingGrayPointers;
/* Linked list of live array buffers with >1 view. */
js::ArrayBufferObject *gcLiveArrayBuffers;
/* During GC, list of live array buffers with >1 view accumulated during tracing. */
js::ArrayBufferVector gcLiveArrayBuffers;
/* Linked list of live weakmaps in this compartment. */
js::WeakMapBase *gcWeakMapList;

6
js/src/jsgc.cpp
Просмотреть файл

@ -3001,7 +3001,7 @@ BeginMarkPhase(JSRuntime *rt)
}
for (CompartmentsIter c(rt, WithAtoms); !c.done(); c.next()) {
JS_ASSERT(!c->gcLiveArrayBuffers);
JS_ASSERT(c->gcLiveArrayBuffers.empty());
c->marked = false;
if (ShouldPreserveJITCode(c, currentTime))
c->zone()->setPreservingCode(true);
@ -4253,7 +4253,7 @@ EndSweepPhase(JSRuntime *rt, JSGCInvocationKind gckind, bool lastGC)
#ifdef DEBUG
for (CompartmentsIter c(rt, SkipAtoms); !c.done(); c.next()) {
JS_ASSERT(!c->gcIncomingGrayPointers);
JS_ASSERT(!c->gcLiveArrayBuffers);
JS_ASSERT(c->gcLiveArrayBuffers.empty());
for (JSCompartment::WrapperEnum e(c); !e.empty(); e.popFront()) {
if (e.front().key().kind != CrossCompartmentKey::StringWrapper)
@ -4468,7 +4468,7 @@ ResetIncrementalGC(JSRuntime *rt, const char *reason)
#ifdef DEBUG
for (CompartmentsIter c(rt, SkipAtoms); !c.done(); c.next())
JS_ASSERT(!c->gcLiveArrayBuffers);
JS_ASSERT(c->gcLiveArrayBuffers.empty());
for (ZonesIter zone(rt, WithAtoms); !zone.done(); zone.next()) {
JS_ASSERT(!zone->needsBarrier());

14
js/src/jsobj.cpp
Просмотреть файл

@ -5898,17 +5898,7 @@ JSObject::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf, JS::Objects
if (hasDynamicElements()) {
js::ObjectElements *elements = getElementsHeader();
if (MOZ_UNLIKELY(elements->isAsmJSArrayBuffer())) {
#if defined (JS_CPU_X64)
// On x64, ArrayBufferObject::prepareForAsmJS switches the
// ArrayBufferObject to use mmap'd storage.
sizes->nonHeapElementsAsmJS += as<ArrayBufferObject>().byteLength();
#else
sizes->mallocHeapElementsAsmJS += mallocSizeOf(elements);
#endif
} else {
sizes->mallocHeapElementsNonAsmJS += mallocSizeOf(elements);
}
sizes->mallocHeapElementsNonAsmJS += mallocSizeOf(elements);
}
// Other things may be measured in the future if DMD indicates it is worthwhile.
@ -5935,6 +5925,8 @@ JSObject::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf, JS::Objects
sizes->mallocHeapRegExpStatics += as<RegExpStaticsObject>().sizeOfData(mallocSizeOf);
} else if (is<PropertyIteratorObject>()) {
sizes->mallocHeapPropertyIteratorData += as<PropertyIteratorObject>().sizeOfMisc(mallocSizeOf);
} else if (is<ArrayBufferObject>() || is<SharedArrayBufferObject>()) {
ArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf, sizes);
#ifdef JS_ION
} else if (is<AsmJSModuleObject>()) {
as<AsmJSModuleObject>().addSizeOfMisc(mallocSizeOf, &sizes->nonHeapCodeAsmJS,

19
js/src/jsobjinlines.h
Просмотреть файл

@ -527,7 +527,7 @@ JSObject::create(js::ExclusiveContext *cx, js::gc::AllocKind kind, js::gc::Initi
obj->privateRef(shape->numFixedSlots()) = nullptr;
size_t span = shape->slotSpan();
if (span && clasp != &js::ArrayBufferObject::class_)
if (span)
obj->initializeSlotRange(0, span);
return obj;
@ -573,12 +573,10 @@ JSObject::finish(js::FreeOp *fop)
{
if (hasDynamicSlots())
fop->free_(slots);
if (hasDynamicElements()) {
js::ObjectElements *elements = getElementsHeader();
if (MOZ_UNLIKELY(elements->isAsmJSArrayBuffer()))
js::ArrayBufferObject::releaseAsmJSArrayBuffer(fop, this);
else
fop->free_(elements);
fop->free_(elements);
}
}
@ -941,6 +939,17 @@ NewBuiltinClassInstance(ExclusiveContext *cx, NewObjectKind newKind = GenericObj
return &obj->as<T>();
}
template<typename T>
inline T *
NewBuiltinClassInstance(ExclusiveContext *cx, gc::AllocKind allocKind, NewObjectKind newKind = GenericObject)
{
JSObject *obj = NewBuiltinClassInstance(cx, &T::class_, allocKind, newKind);
if (!obj)
return nullptr;
return &obj->as<T>();
}
// Used to optimize calls to (new Object())
bool
NewObjectScriptedCall(JSContext *cx, MutableHandleObject obj);

8
js/src/shell/js.cpp
Просмотреть файл

@ -1025,7 +1025,6 @@ CacheEntry_setBytecode(JSContext *cx, HandleObject cache, uint8_t *buffer, uint3
if (!arrayBuffer || !ArrayBufferObject::ensureNonInline(cx, arrayBuffer))
return false;
memcpy(arrayBuffer->dataPointer(), buffer, length);
SetReservedSlot(cache, CacheEntry_BYTECODE, OBJECT_TO_JSVAL(arrayBuffer));
return true;
}
@ -1284,6 +1283,8 @@ Evaluate(JSContext *cx, unsigned argc, jsval *vp)
if (!CacheEntry_setBytecode(cx, cacheEntry, saveBuffer, saveLength))
return false;
saveBuffer.forget();
}
return JS_WrapValue(cx, args.rval());
@ -6220,6 +6221,11 @@ main(int argc, char **argv, char **envp)
PR_JoinThread(workerThreads[i]);
#endif
#ifdef JSGC_GENERATIONAL
if (!noggc.empty())
noggc.destroy();
#endif
JS_DestroyRuntime(rt);
JS_ShutDown();
return result;

1001
js/src/vm/ArrayBufferObject.cpp
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

198
js/src/vm/ArrayBufferObject.h
Просмотреть файл

@ -53,6 +53,13 @@ class ArrayBufferObject : public JSObject
static bool fun_slice_impl(JSContext *cx, CallArgs args);
public:
static const uint8_t DATA_SLOT = 0;
static const uint8_t BYTE_LENGTH_SLOT = 1;
static const uint8_t VIEW_LIST_SLOT = 2;
static const uint8_t FLAGS_SLOT = 3;
static const uint8_t RESERVED_SLOTS = 4;
static const Class class_;
static const Class protoClass;
@ -67,7 +74,7 @@ class ArrayBufferObject : public JSObject
static bool class_constructor(JSContext *cx, unsigned argc, Value *vp);
static ArrayBufferObject *create(JSContext *cx, uint32_t nbytes, bool clear = true,
static ArrayBufferObject *create(JSContext *cx, uint32_t nbytes, void *contents = nullptr,
NewObjectKind newKind = GenericObject);
static JSObject *createSlice(JSContext *cx, Handle<ArrayBufferObject*> arrayBuffer,
@ -84,57 +91,17 @@ class ArrayBufferObject : public JSObject
static void obj_trace(JSTracer *trc, JSObject *obj);
static bool obj_lookupGeneric(JSContext *cx, HandleObject obj, HandleId id,
MutableHandleObject objp, MutableHandleShape propp);
static bool obj_lookupProperty(JSContext *cx, HandleObject obj, HandlePropertyName name,
MutableHandleObject objp, MutableHandleShape propp);
static bool obj_lookupElement(JSContext *cx, HandleObject obj, uint32_t index,
MutableHandleObject objp, MutableHandleShape propp);
static bool obj_defineGeneric(JSContext *cx, HandleObject obj, HandleId id, HandleValue v,
PropertyOp getter, StrictPropertyOp setter, unsigned attrs);
static bool obj_defineProperty(JSContext *cx, HandleObject obj,
HandlePropertyName name, HandleValue v,
PropertyOp getter, StrictPropertyOp setter, unsigned attrs);
static bool obj_defineElement(JSContext *cx, HandleObject obj, uint32_t index, HandleValue v,
PropertyOp getter, StrictPropertyOp setter, unsigned attrs);
static bool obj_getGeneric(JSContext *cx, HandleObject obj, HandleObject receiver,
HandleId id, MutableHandleValue vp);
static bool obj_getProperty(JSContext *cx, HandleObject obj, HandleObject receiver,
HandlePropertyName name, MutableHandleValue vp);
static bool obj_getElement(JSContext *cx, HandleObject obj, HandleObject receiver,
uint32_t index, MutableHandleValue vp);
static bool obj_setGeneric(JSContext *cx, HandleObject obj, HandleId id,
MutableHandleValue vp, bool strict);
static bool obj_setProperty(JSContext *cx, HandleObject obj, HandlePropertyName name,
MutableHandleValue vp, bool strict);
static bool obj_setElement(JSContext *cx, HandleObject obj, uint32_t index,
MutableHandleValue vp, bool strict);
static bool obj_getGenericAttributes(JSContext *cx, HandleObject obj,
HandleId id, unsigned *attrsp);
static bool obj_setGenericAttributes(JSContext *cx, HandleObject obj,
HandleId id, unsigned *attrsp);
static bool obj_deleteProperty(JSContext *cx, HandleObject obj, HandlePropertyName name,
bool *succeeded);
static bool obj_deleteElement(JSContext *cx, HandleObject obj, uint32_t index,
bool *succeeded);
static bool obj_enumerate(JSContext *cx, HandleObject obj, JSIterateOp enum_op,
MutableHandleValue statep, MutableHandleId idp);
static void sweep(JSCompartment *rt);
static void resetArrayBufferList(JSCompartment *rt);
static bool saveArrayBufferList(JSCompartment *c, ArrayBufferVector &vector);
static void restoreArrayBufferLists(ArrayBufferVector &vector);
static void *stealContents(JSContext *cx, Handle<ArrayBufferObject*> buffer);
bool hasStealableContents() const {
// Inline elements strictly adhere to the corresponding buffer.
if (!hasDynamicElements())
if (!ownsData())
return false;
// asm.js buffer contents are transferred by copying, just like inline
@ -150,31 +117,12 @@ class ArrayBufferObject : public JSObject
return !isNeutered();
}
static bool stealContents(JSContext *cx, Handle<ArrayBufferObject*> buffer, void **contents,
uint8_t **data);
static void updateElementsHeader(js::ObjectElements *header, uint32_t bytes) {
header->initializedLength = bytes;
// NB: one or both of these fields is clobbered by GetViewList to store
// the 'views' link. Set them to 0 to effectively initialize 'views'
// to nullptr.
header->length = 0;
header->capacity = 0;
}
static void initElementsHeader(js::ObjectElements *header, uint32_t bytes) {
header->flags = 0;
updateElementsHeader(header, bytes);
}
static uint32_t headerInitializedLength(const js::ObjectElements *header) {
return header->initializedLength;
}
static void addSizeOfExcludingThis(JSObject *obj, mozilla::MallocSizeOf mallocSizeOf,
JS::ObjectsExtraSizes *sizes);
void addView(ArrayBufferViewObject *view);
void changeContents(JSContext *cx, ObjectElements *newHeader);
void changeContents(JSContext *cx, void *newData);
/*
* Ensure data is not stored inline in the object. Used when handing back a
@ -182,28 +130,15 @@ class ArrayBufferObject : public JSObject
*/
static bool ensureNonInline(JSContext *cx, Handle<ArrayBufferObject*> buffer);
uint32_t byteLength() const {
return getElementsHeader()->initializedLength;
}
bool canNeuter(JSContext *cx);
/*
* Neuter all views of an ArrayBuffer.
*/
static bool neuterViews(JSContext *cx, Handle<ArrayBufferObject*> buffer);
/* Neuter this buffer and all its views. */
static void neuter(JSContext *cx, Handle<ArrayBufferObject*> buffer, void *newData);
uint8_t * dataPointer() const;
uint8_t *dataPointer() const;
size_t byteLength() const;
/*
* Discard the ArrayBuffer contents, and use |newHeader| for the buffer's
* new contents. (These new contents are zeroed, of identical size in
* memory as the current contents, but appear to be neutered and of zero
* length. This is purely precautionary against stale indexes that were
* in-bounds with respect to the initial length but would not be after
* neutering. This precaution will be removed once we're sure such stale
* indexing no longer happens.) For asm.js buffers, at least, should
* be called after neuterViews().
*/
void neuter(ObjectElements *newHeader, JSContext *cx);
void releaseData(FreeOp *fop);
/*
* Check if the arrayBuffer contains any data. This will return false for
@ -213,19 +148,68 @@ class ArrayBufferObject : public JSObject
return getClass() == &class_;
}
bool isSharedArrayBuffer() const {
return getElementsHeader()->isSharedArrayBuffer();
bool isAsmJSArrayBuffer() const { return flags() & ASMJS_BUFFER; }
bool isSharedArrayBuffer() const { return flags() & SHARED_BUFFER; }
bool isNeutered() const { return flags() & NEUTERED_BUFFER; }
static bool prepareForAsmJS(JSContext *cx, Handle<ArrayBufferObject*> buffer);
static bool canNeuterAsmJSArrayBuffer(JSContext *cx, ArrayBufferObject &buffer);
static void finalize(FreeOp *fop, JSObject *obj);
protected:
enum OwnsState {
DoesntOwnData = 0,
OwnsData = 1,
};
void setDataPointer(void *data, OwnsState ownsState);
void setByteLength(size_t length);
ArrayBufferViewObject *viewList() const;
void setViewList(ArrayBufferViewObject *viewsHead);
void setViewListNoBarrier(ArrayBufferViewObject *viewsHead);
enum ArrayBufferFlags {
// In the gcLiveArrayBuffers list.
IN_LIVE_LIST = 0x1,
// The dataPointer() is owned by this buffer and should be released
// when no longer in use. Releasing the pointer may be done by either
// freeing or unmapping it, and how to do this is determined by the
// buffer's other flags.
OWNS_DATA = 0x2,
ASMJS_BUFFER = 0x4,
SHARED_BUFFER = 0x8,
NEUTERED_BUFFER = 0x10
};
uint32_t flags() const;
void setFlags(uint32_t flags);
bool inLiveList() const { return flags() & IN_LIVE_LIST; }
void setInLiveList(bool value) {
setFlags(value ? (flags() | IN_LIVE_LIST) : (flags() & ~IN_LIVE_LIST));
}
bool isAsmJSArrayBuffer() const {
return getElementsHeader()->isAsmJSArrayBuffer();
bool ownsData() const { return flags() & OWNS_DATA; }
void setOwnsData(OwnsState owns) {
setFlags(owns ? (flags() | OWNS_DATA) : (flags() & ~OWNS_DATA));
}
bool isNeutered() const {
return getElementsHeader()->isNeuteredBuffer();
void setIsAsmJSArrayBuffer() { setFlags(flags() | ASMJS_BUFFER); }
void setIsSharedArrayBuffer() { setFlags(flags() | SHARED_BUFFER); }
void setIsNeutered() { setFlags(flags() | NEUTERED_BUFFER); }
void initialize(size_t byteLength, void *data, OwnsState ownsState) {
setByteLength(byteLength);
setFlags(0);
setViewListNoBarrier(nullptr);
setDataPointer(data, ownsState);
}
static bool prepareForAsmJS(JSContext *cx, Handle<ArrayBufferObject*> buffer);
static bool neuterAsmJSArrayBuffer(JSContext *cx, ArrayBufferObject &buffer);
static void releaseAsmJSArrayBuffer(FreeOp *fop, JSObject *obj);
void releaseAsmJSArray(FreeOp *fop);
};
/*
@ -249,35 +233,24 @@ class ArrayBufferViewObject : public JSObject
/* ArrayBufferObjects point to a linked list of views, chained through this slot */
static const size_t NEXT_VIEW_SLOT = JS_TYPEDOBJ_SLOT_NEXT_VIEW;
/*
* When ArrayBufferObjects are traced during GC, they construct a linked
* list of ArrayBufferObjects with more than one view, chained through this
* slot of the first view of each ArrayBufferObject.
*/
static const size_t NEXT_BUFFER_SLOT = JS_TYPEDOBJ_SLOT_NEXT_BUFFER;
public:
JSObject *bufferObject() const {
return &getFixedSlot(BUFFER_SLOT).toObject();
}
ArrayBufferObject *bufferLink() {
return static_cast<ArrayBufferObject*>(getFixedSlot(NEXT_BUFFER_SLOT).toPrivate());
}
inline void setBufferLink(ArrayBufferObject *buffer);
ArrayBufferViewObject *nextView() const {
return static_cast<ArrayBufferViewObject*>(getFixedSlot(NEXT_VIEW_SLOT).toPrivate());
}
inline void setNextView(ArrayBufferViewObject *view);
void prependToViews(ArrayBufferViewObject *viewsHead);
void neuter(JSContext *cx);
static void trace(JSTracer *trc, JSObject *obj);
uint8_t *dataPointer() {
return static_cast<uint8_t *>(getPrivate());
}
};
bool
@ -323,13 +296,6 @@ bool IsArrayBuffer(JSObject *obj);
ArrayBufferObject &AsArrayBuffer(HandleObject obj);
ArrayBufferObject &AsArrayBuffer(JSObject *obj);
inline void
ArrayBufferViewObject::setBufferLink(ArrayBufferObject *buffer)
{
setFixedSlot(NEXT_BUFFER_SLOT, PrivateValue(buffer));
PostBarrierTypedArrayObject(this);
}
inline void
ArrayBufferViewObject::setNextView(ArrayBufferViewObject *view)
{

14
js/src/vm/ObjectImpl.cpp
Просмотреть файл

@ -383,20 +383,6 @@ js::ObjectImpl::markChildren(JSTracer *trc)
}
}
JSObject *
js::ArrayBufferDelegate(JSContext *cx, Handle<ObjectImpl*> obj)
{
MOZ_ASSERT(obj->hasClass(&ArrayBufferObject::class_) ||
obj->hasClass(&SharedArrayBufferObject::class_));
if (obj->getPrivate())
return static_cast<JSObject *>(obj->getPrivate());
JSObject *delegate = NewObjectWithGivenProto(cx, &JSObject::class_,
obj->getTaggedProto(), nullptr);
obj->setPrivateGCThing(delegate);
return delegate;
}
void
AutoPropDescRooter::trace(JSTracer *trc)
{

30
js/src/vm/ObjectImpl.h
Просмотреть файл

@ -168,23 +168,16 @@ class ObjectElements
public:
enum Flags {
CONVERT_DOUBLE_ELEMENTS = 0x1,
ASMJS_ARRAY_BUFFER = 0x2,
NEUTERED_BUFFER = 0x4,
SHARED_ARRAY_BUFFER = 0x8,
// Present only if these elements correspond to an array with
// non-writable length; never present for non-arrays.
NONWRITABLE_ARRAY_LENGTH = 0x10
NONWRITABLE_ARRAY_LENGTH = 0x2
};
private:
friend class ::JSObject;
friend class ObjectImpl;
friend class ArrayObject;
friend class ArrayBufferObject;
friend class ArrayBufferViewObject;
friend class SharedArrayBufferObject;
friend class TypedArrayObject;
friend class Nursery;
template <ExecutionMode mode>
@ -231,24 +224,6 @@ class ObjectElements
void clearShouldConvertDoubleElements() {
flags &= ~CONVERT_DOUBLE_ELEMENTS;
}
bool isAsmJSArrayBuffer() const {
return flags & ASMJS_ARRAY_BUFFER;
}
void setIsAsmJSArrayBuffer() {
flags |= ASMJS_ARRAY_BUFFER;
}
bool isNeuteredBuffer() const {
return flags & NEUTERED_BUFFER;
}
void setIsNeuteredBuffer() {
flags |= NEUTERED_BUFFER;
}
bool isSharedArrayBuffer() const {
return flags & SHARED_ARRAY_BUFFER;
}
void setIsSharedArrayBuffer() {
flags |= SHARED_ARRAY_BUFFER;
}
bool hasNonwritableArrayLength() const {
return flags & NONWRITABLE_ARRAY_LENGTH;
}
@ -1039,9 +1014,6 @@ IsObjectValueInCompartment(js::Value v, JSCompartment *comp)
}
#endif
extern JSObject *
ArrayBufferDelegate(JSContext *cx, Handle<ObjectImpl*> obj);
} /* namespace js */
#endif /* vm_ObjectImpl_h */

69
js/src/vm/SharedArrayObject.cpp
Просмотреть файл

@ -23,8 +23,6 @@ using namespace js;
using mozilla::IsNaN;
using mozilla::PodCopy;
#define SHAREDARRAYBUFFER_RESERVED_SLOTS 15
/*
* SharedArrayRawBuffer
*/
@ -179,53 +177,26 @@ SharedArrayBufferObject::New(JSContext *cx, uint32_t length)
return nullptr;
}
RootedObject obj(cx, NewBuiltinClassInstance(cx, &class_));
if (!obj)
return nullptr;
JS_ASSERT(obj->getClass() == &class_);
Rooted<js::Shape*> empty(cx);
empty = EmptyShape::getInitialShape(cx, &class_, obj->getProto(), obj->getParent(),
obj->getMetadata(), gc::FINALIZE_OBJECT16_BACKGROUND);
if (!empty)
return nullptr;
obj->setLastPropertyInfallible(empty);
obj->setFixedElements();
obj->as<SharedArrayBufferObject>().initElementsHeader(obj->getElementsHeader(), length);
obj->getElementsHeader()->setIsSharedArrayBuffer();
SharedArrayRawBuffer *buffer = SharedArrayRawBuffer::New(length);
if (!buffer)
return nullptr;
obj->as<SharedArrayBufferObject>().acceptRawBuffer(buffer);
return obj;
return New(cx, buffer);
}
JSObject *
SharedArrayBufferObject::New(JSContext *cx, SharedArrayRawBuffer *buffer)
{
RootedObject obj(cx, NewBuiltinClassInstance(cx, &class_));
Rooted<SharedArrayBufferObject*> obj(cx, NewBuiltinClassInstance<SharedArrayBufferObject>(cx));
if (!obj)
return nullptr;
JS_ASSERT(obj->getClass() == &class_);
Rooted<js::Shape*> empty(cx);
empty = EmptyShape::getInitialShape(cx, &class_, obj->getProto(), obj->getParent(),
obj->getMetadata(), gc::FINALIZE_OBJECT16_BACKGROUND);
if (!empty)
return nullptr;
obj->setLastPropertyInfallible(empty);
obj->initialize(buffer->byteLength(), nullptr, DoesntOwnData);
obj->setFixedElements();
obj->as<SharedArrayBufferObject>().initElementsHeader(obj->getElementsHeader(),
buffer->byteLength());
obj->getElementsHeader()->setIsSharedArrayBuffer();
obj->as<SharedArrayBufferObject>().acceptRawBuffer(buffer);
obj->acceptRawBuffer(buffer);
obj->setIsSharedArrayBuffer();
return obj;
}
@ -283,8 +254,6 @@ SharedArrayBufferObject::Finalize(FreeOp *fop, JSObject *obj)
const Class SharedArrayBufferObject::protoClass = {
"SharedArrayBufferPrototype",
JSCLASS_HAS_PRIVATE |
JSCLASS_HAS_RESERVED_SLOTS(SHAREDARRAYBUFFER_RESERVED_SLOTS) |
JSCLASS_HAS_CACHED_PROTO(JSProto_SharedArrayBuffer),
JS_PropertyStub, /* addProperty */
JS_DeletePropertyStub, /* delProperty */
@ -297,10 +266,8 @@ const Class SharedArrayBufferObject::protoClass = {
const Class SharedArrayBufferObject::class_ = {
"SharedArrayBuffer",
JSCLASS_HAS_PRIVATE |
JSCLASS_IMPLEMENTS_BARRIERS |
Class::NON_NATIVE |
JSCLASS_HAS_RESERVED_SLOTS(SHAREDARRAYBUFFER_RESERVED_SLOTS) |
JSCLASS_HAS_RESERVED_SLOTS(SharedArrayBufferObject::RESERVED_SLOTS) |
JSCLASS_HAS_CACHED_PROTO(JSProto_SharedArrayBuffer),
JS_PropertyStub, /* addProperty */
JS_DeletePropertyStub, /* delProperty */
@ -315,29 +282,7 @@ const Class SharedArrayBufferObject::class_ = {
nullptr, /* construct */
ArrayBufferObject::obj_trace,
JS_NULL_CLASS_SPEC,
JS_NULL_CLASS_EXT,
{
ArrayBufferObject::obj_lookupGeneric,
ArrayBufferObject::obj_lookupProperty,
ArrayBufferObject::obj_lookupElement,
ArrayBufferObject::obj_defineGeneric,
ArrayBufferObject::obj_defineProperty,
ArrayBufferObject::obj_defineElement,
ArrayBufferObject::obj_getGeneric,
ArrayBufferObject::obj_getProperty,
ArrayBufferObject::obj_getElement,
ArrayBufferObject::obj_setGeneric,
ArrayBufferObject::obj_setProperty,
ArrayBufferObject::obj_setElement,
ArrayBufferObject::obj_getGenericAttributes,
ArrayBufferObject::obj_setGenericAttributes,
ArrayBufferObject::obj_deleteProperty,
ArrayBufferObject::obj_deleteElement,
nullptr, nullptr, /* watch/unwatch */
nullptr, /* slice */
ArrayBufferObject::obj_enumerate,
nullptr, /* thisObject */
}
JS_NULL_CLASS_EXT
};
JSObject *

5
js/src/vm/SharedArrayObject.h
Просмотреть файл

@ -74,8 +74,9 @@ class SharedArrayBufferObject : public ArrayBufferObject
static const Class protoClass;
// Slot used for storing a pointer to the SharedArrayRawBuffer.
// First two slots hold the ObjectElements.
static const int32_t RAWBUF_SLOT = 2;
static const uint8_t RAWBUF_SLOT = ArrayBufferObject::RESERVED_SLOTS;
static const uint8_t RESERVED_SLOTS = ArrayBufferObject::RESERVED_SLOTS + 1;
static bool class_constructor(JSContext *cx, unsigned argc, Value *vp);

18
js/src/vm/StructuredClone.cpp
Просмотреть файл

@ -977,6 +977,8 @@ JSStructuredCloneWriter::writeTransferMap()
return false;
if (!out.writePtr(nullptr)) // Pointer to ArrayBuffer contents or to SharedArrayRawBuffer.
return false;
if (!out.write(0)) // |byteLength| for an ArrayBuffer, 0 for SharedArrayBuffer
return false;
if (!out.write(0)) // |userdata|, intended to be passed to callbacks.
return false;
}
@ -1006,14 +1008,15 @@ JSStructuredCloneWriter::transferOwnership()
MOZ_ASSERT(uint32_t(LittleEndian::readUint64(point)) == SCTAG_TM_UNFILLED);
if (obj->is<ArrayBufferObject>()) {
void *content;
uint8_t *data;
if (!JS_StealArrayBufferContents(context(), obj, &content, &data))
size_t nbytes = obj->as<ArrayBufferObject>().byteLength();
void *contents = JS_StealArrayBufferContents(context(), obj);
if (!contents)
return false; // Destructor will clean up the already-transferred data
uint64_t entryTag = PairToUInt64(SCTAG_TRANSFER_MAP_ENTRY, SCTAG_TM_ALLOC_DATA);
LittleEndian::writeUint64(point++, entryTag);
LittleEndian::writeUint64(point++, reinterpret_cast<uint64_t>(content));
LittleEndian::writeUint64(point++, reinterpret_cast<uint64_t>(contents));
LittleEndian::writeUint64(point++, nbytes);
LittleEndian::writeUint64(point++, 0);
} else {
SharedArrayRawBuffer *rawbuf = obj->as<SharedArrayBufferObject>().rawBufferObject();
@ -1026,6 +1029,7 @@ JSStructuredCloneWriter::transferOwnership()
LittleEndian::writeUint64(point++, entryTag);
LittleEndian::writeUint64(point++, reinterpret_cast<uint64_t>(rawbuf));
LittleEndian::writeUint64(point++, 0);
LittleEndian::writeUint64(point++, 0);
}
}
@ -1512,6 +1516,10 @@ JSStructuredCloneReader::readTransferMap()
if (!in.readPtr(&content))
return false;
uint64_t nbytes;
if (!in.read(&nbytes))
return false;
uint64_t userdata;
if (!in.read(&userdata))
return false;
@ -1519,7 +1527,7 @@ JSStructuredCloneReader::readTransferMap()
RootedObject obj(context());
if (data == SCTAG_TM_ALLOC_DATA)
obj = JS_NewArrayBufferWithContents(context(), content);
obj = JS_NewArrayBufferWithContents(context(), nbytes, content);
else if (data == SCTAG_TM_SHARED_BUFFER)
obj = SharedArrayBufferObject::New(context(), (SharedArrayRawBuffer *)content);

2
js/src/vm/TypedArrayObject.cpp
Просмотреть файл

@ -349,7 +349,6 @@ class TypedArrayObjectTemplate : public TypedArrayObject
obj->setSlot(BYTEOFFSET_SLOT, Int32Value(byteOffset));
obj->setSlot(BYTELENGTH_SLOT, Int32Value(len * sizeof(NativeType)));
obj->setSlot(NEXT_VIEW_SLOT, PrivateValue(nullptr));
obj->setSlot(NEXT_BUFFER_SLOT, PrivateValue(UNSET_BUFFER_LINK));
js::Shape *empty = EmptyShape::getInitialShape(cx, fastClass(),
obj->getProto(), obj->getParent(), obj->getMetadata(),
@ -1344,7 +1343,6 @@ DataViewObject::create(JSContext *cx, uint32_t byteOffset, uint32_t byteLength,
dvobj.setFixedSlot(BYTELENGTH_SLOT, Int32Value(byteLength));
dvobj.setFixedSlot(BUFFER_SLOT, ObjectValue(*arrayBuffer));
dvobj.setFixedSlot(NEXT_VIEW_SLOT, PrivateValue(nullptr));
dvobj.setFixedSlot(NEXT_BUFFER_SLOT, PrivateValue(UNSET_BUFFER_LINK));
InitArrayBufferViewDataPointer(&dvobj, arrayBuffer, byteOffset);
JS_ASSERT(byteOffset + byteLength <= arrayBuffer->byteLength());

2
js/src/vm/TypedArrayObject.h
Просмотреть файл

@ -337,7 +337,7 @@ ClampIntForUint8Array(int32_t x)
return x;
}
extern js::ArrayBufferObject * const UNSET_BUFFER_LINK;
bool ToDoubleForTypedArray(JSContext *cx, JS::HandleValue vp, double *d);
} // namespace js

20
toolkit/components/osfile/NativeOSFileInternals.cpp
Просмотреть файл

@ -64,10 +64,6 @@ namespace {
* and into JavaScript without copy.
*/
struct ArrayBufferContents {
/**
* The header of the ArrayBuffer. This is the pointer actually used by JSAPI.
*/
void* header;
/**
* The data of the ArrayBuffer. This is the pointer manipulated to
* read/write the contents of the buffer.
@ -85,12 +81,11 @@ struct ArrayBufferContents {
struct ScopedArrayBufferContentsTraits {
typedef ArrayBufferContents type;
const static type empty() {
type result = {0, 0, 0};
type result = {0, 0};
return result;
}
const static void release(type ptr) {
js_free(ptr.header);
ptr.header = nullptr;
js_free(ptr.data);
ptr.data = nullptr;
ptr.nbytes = 0;
}
@ -119,10 +114,9 @@ struct ScopedArrayBufferContents: public Scoped<ScopedArrayBufferContentsTraits>
bool Allocate(uint32_t length) {
dispose();
ArrayBufferContents& value = rwget();
if (JS_AllocateArrayBufferContents(/*no context available*/nullptr,
length,
&value.header,
&value.data)) {
void *ptr = JS_AllocateArrayBufferContents(/*no context available*/nullptr, length);
if (ptr) {
value.data = (uint8_t *) ptr;
value.nbytes = length;
return true;
}
@ -360,7 +354,7 @@ nsresult
TypedArrayResult::GetCacheableResult(JSContext* cx, JS::MutableHandle<JS::Value> aResult)
{
MOZ_ASSERT(NS_IsMainThread());
// We cannot simply construct a typed array using contents.header as
// We cannot simply construct a typed array using contents.data as
// this would allow us to have several otherwise unrelated
// ArrayBuffers with the same underlying C buffer. As this would be
// very unsafe, we need to cache the result once we have it.
@ -369,7 +363,7 @@ TypedArrayResult::GetCacheableResult(JSContext* cx, JS::MutableHandle<JS::Value>
MOZ_ASSERT(contents.data);
JS::Rooted<JSObject*>
arrayBuffer(cx, JS_NewArrayBufferWithContents(cx, contents.header));
arrayBuffer(cx, JS_NewArrayBufferWithContents(cx, contents.nbytes, contents.data));
if (!arrayBuffer) {
return NS_ERROR_OUT_OF_MEMORY;
}