Bug 969159 -- Adjust assertion to account for zero-sized objects r=shu

js/src/builtin/TypedObject.cpp

@@ -1341,6 +1341,7 @@ void
 TypedDatum::attach(TypedDatum &datum, uint32_t offset)
 {
     JS_ASSERT(datum.getReservedSlot(JS_DATUM_SLOT_OWNER).isObject());
+    JS_ASSERT(offset + size() <= datum.size());
 
     // find the location in memory
     uint8_t *mem = datum.typedMem(offset);

js/src/builtin/TypedObject.h

@@ -516,7 +516,12 @@ class TypedDatum : public JSObject
     }
 
     uint8_t *typedMem(size_t offset) const {
-        JS_ASSERT(offset < size());
+        // It seems a bit surprising that one might request an offset
+        // == size(), but it can happen when taking the "address of" a
+        // 0-sized value. (In other words, we maintain the invariant
+        // that `offset + size <= size()` -- this is always checked in
+        // the caller's side.)
+        JS_ASSERT(offset <= size());
         return typedMem() + offset;
     }
 };

js/src/jit-test/tests/TypedObject/bug969159.js

@@ -0,0 +1,9 @@
+// Test access to a 0-sized element (in this case,
+// a zero-length array).
+
+if (!this.hasOwnProperty("TypedObject"))
+  quit();
+
+var AA = TypedObject.uint8.array(0.).array(5);
+var aa = new AA();
+var aa0 = aa[0];