Bug 981650 -- Check the variable-size flag on the type descriptor, not the type representation r=sfink

This commit is contained in:
Nicholas D. Matsakis 2014-03-18 08:19:04 -04:00
parent 428a0c958e
commit 34cda3e53e
2 changed files with 14 additions and 4 deletions

View File

@ -453,9 +453,9 @@ function SetTypedObjectValue(descr, typedObj, offset, fromValue) {
new TypedObjectPointer(descr, typedObj, offset).set(fromValue);
}
// Assigns `fromValue` to the memory pointed at by `this`, adapting it
// to `typeRepr` as needed. This is the most general entry point and
// works for any type.
// Writes `fromValue` into the memory pointed at by `this`, adapting
// it to `typeRepr` as needed. This is the most general entry point
// and works for any type.
TypedObjectPointer.prototype.set = function(fromValue) {
assert(TypedObjectIsAttached(this.typedObj), "set() called with unattached typedObj");
@ -464,7 +464,7 @@ TypedObjectPointer.prototype.set = function(fromValue) {
// memcpy.
if (IsObject(fromValue) && ObjectIsTypedObject(fromValue)) {
var typeRepr = DESCR_TYPE_REPR(this.descr);
if (!typeRepr.variable && TYPEDOBJ_TYPE_REPR(fromValue) === typeRepr) {
if (!this.descr.variable && TYPEDOBJ_TYPE_REPR(fromValue) === typeRepr) {
if (!TypedObjectIsAttached(fromValue))
ThrowError(JSMSG_TYPEDOBJECT_HANDLE_UNATTACHED);

View File

@ -0,0 +1,10 @@
// Fuzz bug 981650: Test creating an unsized array type based on an instance of
// that same type.
if (typeof TypedObject === "undefined")
quit();
var T = TypedObject;
var AT = new T.ArrayType(T.int32);
var v = new AT(10);
new AT(v);