From de52f61320c3b8dee017a44e3d4cb0100147fea2 Mon Sep 17 00:00:00 2001 From: Vladimir Vukicevic Date: Tue, 30 Mar 2010 16:43:42 -0700 Subject: [PATCH] b=555807; typed array native constructor fix; r=jorendorff --- js/src/jstypedarray.cpp | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/js/src/jstypedarray.cpp b/js/src/jstypedarray.cpp index e4d740458bed..74ebf1b9155a 100644 --- a/js/src/jstypedarray.cpp +++ b/js/src/jstypedarray.cpp @@ -1397,7 +1397,8 @@ JS_FRIEND_API(JSObject *) js_CreateArrayBuffer(JSContext *cx, jsuint nbytes) { AutoValueRooter tvr(cx); - js_NewNumberInRootedValue(cx, jsdouble(nbytes), tvr.addr()); + if (!js_NewNumberInRootedValue(cx, jsdouble(nbytes), tvr.addr())) + return NULL; AutoValueRooter rval(cx); if (!ArrayBuffer::class_constructor(cx, cx->globalObject, @@ -1484,8 +1485,7 @@ js_CreateTypedArrayWithBuffer(JSContext *cx, jsint atype, JSObject *bufArg, { JS_ASSERT(atype >= 0 && atype < TypedArray::TYPE_MAX); JS_ASSERT(bufArg && ArrayBuffer::fromJSObject(bufArg)); - /* if byteoffset is -1, length must be -1 */ - JS_ASSERT(length < 0 || byteoffset >= 0); + JS_ASSERT_IF(byteoffset < 0, length < 0); jsval vals[4]; AutoArrayRooter tvr(cx, JS_ARRAY_LENGTH(vals), vals); @@ -1494,17 +1494,19 @@ js_CreateTypedArrayWithBuffer(JSContext *cx, jsint atype, JSObject *bufArg, vals[0] = OBJECT_TO_JSVAL(bufArg); if (byteoffset >= 0) { - js_NewNumberInRootedValue(cx, jsdouble(byteoffset), &vals[1]); + if (!js_NewNumberInRootedValue(cx, jsdouble(byteoffset), &vals[argc])) + return NULL; + argc++; } if (length >= 0) { - js_NewNumberInRootedValue(cx, jsdouble(length), &vals[1]); + if (!js_NewNumberInRootedValue(cx, jsdouble(length), &vals[argc])) + return NULL; + argc++; } - js_NewNumberInRootedValue(cx, jsdouble(byteoffset), &vals[0]); - if (!TypedArrayConstruct(cx, atype, argc, &vals[0], &vals[3])) return NULL;