Backed out changeset b47c66fceb44 (bug 1312480) for GC crashes on a CLOSED TREE.

js/src/jit-test/tests/ion/bug1312480.js

@@ -1,5 +0,0 @@
-
-for (var i=0; i<1000; i++) {
-    var a = new Int32Array(0);
-    print(a.values());
-}

js/src/jit/MacroAssembler.cpp

@@ -1043,9 +1043,9 @@ AllocateObjectBufferWithInit(JSContext* cx, TypedArrayObject* obj, int32_t count
     // Negative numbers will bail out to the slow path, which in turn will raise
     // an invalid argument exception.
     if (count <= 0) {
-        obj->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(0));
         if (count == 0)
             obj->setInlineElements();
+        obj->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(0));
         return;
     }
 
@@ -1097,12 +1097,6 @@ MacroAssembler::initTypedArraySlots(Register obj, Register temp, Register length
     if (lengthKind == TypedArrayLength::Fixed && dataOffset + nbytes <= JSObject::MAX_BYTE_SIZE) {
         MOZ_ASSERT(dataOffset + nbytes <= templateObj->tenuredSizeOfThis());
 
-        if (length == 0) {
-            // Store nullptr inside the data slot offset when size is 0.
-            storePtr(ImmPtr(nullptr), Address(obj, dataSlotOffset));
-            return;
-        }
-
         // Store data elements inside the remaining JSObject slots.
         computeEffectiveAddress(Address(obj, dataOffset), temp);
         storePtr(temp, Address(obj, dataSlotOffset));

js/src/vm/TypedArrayObject.cpp

@@ -240,9 +240,6 @@ JS_FOR_EACH_TYPED_ARRAY(OBJECT_MOVED_TYPED_ARRAY)
 bool
 TypedArrayObject::hasInlineElements() const
 {
-    if (!elements())
-        return true;
-
     return elements() == this->fixedData(TypedArrayObject::FIXED_DATA_START) &&
         byteLength() <= TypedArrayObject::INLINE_BUFFER_LIMIT;
 }
@@ -251,10 +248,6 @@ void
 TypedArrayObject::setInlineElements()
 {
     char* dataSlot = reinterpret_cast<char*>(this) + this->dataOffset();
-    if (length() == 0) {
-        *reinterpret_cast<void**>(dataSlot) = nullptr;
-        return;
-    }
     *reinterpret_cast<void**>(dataSlot) = this->fixedData(TypedArrayObject::FIXED_DATA_START);
 }
 
@@ -513,13 +506,9 @@ class TypedArrayObjectTemplate : public TypedArrayObject
                 }
             }
         } else {
-            if (len == 0) {
-                obj->initPrivate(nullptr);
-            } else {
-                void* data = obj->fixedData(FIXED_DATA_START);
-                obj->initPrivate(data);
-                memset(data, 0, len * sizeof(NativeType));
-            }
+            void* data = obj->fixedData(FIXED_DATA_START);
+            obj->initPrivate(data);
+            memset(data, 0, len * sizeof(NativeType));
         }
 
         obj->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(len));
@@ -632,13 +621,9 @@ class TypedArrayObjectTemplate : public TypedArrayObject
             MOZ_ASSERT(offset + nbytes <= GetGCKindBytes(allocKind));
 #endif
 
-            if (len == 0) {
-                tarray->initPrivate(nullptr);
-            } else {
-                void* data = tarray->fixedData(FIXED_DATA_START);
-                tarray->initPrivate(data);
-                memset(data, 0, nbytes);
-            }
+            void* data = tarray->fixedData(FIXED_DATA_START);
+            tarray->initPrivate(data);
+            memset(data, 0, nbytes);
         }
     }
 

js/src/vm/TypedArrayObject.h

@@ -165,9 +165,7 @@ class TypedArrayObject : public NativeObject
     bool hasInlineElements() const;
     void setInlineElements();
     uint8_t* elements() const {
-        uint8_t* output = *(uint8_t **)((((char *)this) + this->dataOffset()));
-        MOZ_ASSERT_IF(length() == 0 && !hasBuffer(), output == nullptr);
-        return output;
+        return *(uint8_t **)((((char *)this) + this->dataOffset()));
     }
 
     Value getElement(uint32_t index);