diff --git a/js/src/builtin/TypedObject.cpp b/js/src/builtin/TypedObject.cpp index 572650522e9..7b8de745e28 100644 --- a/js/src/builtin/TypedObject.cpp +++ b/js/src/builtin/TypedObject.cpp @@ -2164,12 +2164,12 @@ TypedObject::dataOffset() } void -TypedObject::neuter(JSContext *cx) +TypedObject::neuter(void *newData) { setSlot(JS_TYPEDOBJ_SLOT_LENGTH, Int32Value(0)); setSlot(JS_TYPEDOBJ_SLOT_BYTELENGTH, Int32Value(0)); setSlot(JS_TYPEDOBJ_SLOT_BYTEOFFSET, Int32Value(0)); - setPrivate(nullptr); + setPrivate(newData); } /****************************************************************************** diff --git a/js/src/builtin/TypedObject.h b/js/src/builtin/TypedObject.h index 910e865ac8c..8d9f476e59f 100644 --- a/js/src/builtin/TypedObject.h +++ b/js/src/builtin/TypedObject.h @@ -588,7 +588,7 @@ class TypedObject : public ArrayBufferViewObject void attach(TypedObject &typedObj, int32_t offset); // Invoked when array buffer is transferred elsewhere - void neuter(JSContext *cx); + void neuter(void *newData); int32_t offset() const { return getReservedSlot(JS_TYPEDOBJ_SLOT_BYTEOFFSET).toInt32(); diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp index dcdfce36fdf..a88787e8e8f 100644 --- a/js/src/vm/ArrayBufferObject.cpp +++ b/js/src/vm/ArrayBufferObject.cpp @@ -332,7 +332,7 @@ ArrayBufferObject::neuter(JSContext *cx, Handle buffer, void // buffer's data. for (ArrayBufferViewObject *view = buffer->viewList(); view; view = view->nextView()) { - view->neuter(cx); + view->neuter(newData); // Notify compiled jit code that the base pointer has moved. MarkObjectStateChange(cx, view); @@ -372,12 +372,9 @@ ArrayBufferObject::changeContents(JSContext *cx, void *newData) // Update all views. ArrayBufferViewObject *viewListHead = viewList(); for (ArrayBufferViewObject *view = viewListHead; view; view = view->nextView()) { - // Watch out for NULL data pointers in views. This either - // means that the view is not fully initialized (in which case - // it'll be initialized later with the correct pointer) or - // that the view has been neutered. In that case, the buffer - // is "en route" to being neutered but the isNeuteredBuffer() - // flag may not yet be set. + // Watch out for NULL data pointers in views. This means that the view + // is not fully initialized (in which case it'll be initialized later + // with the correct pointer). uint8_t *viewDataPointer = view->dataPointer(); if (viewDataPointer) { JS_ASSERT(newData); @@ -887,17 +884,13 @@ ArrayBufferViewObject::trace(JSTracer *trc, JSObject *obj) HeapSlot &bufSlot = obj->getReservedSlotRef(BUFFER_SLOT); MarkSlot(trc, &bufSlot, "typedarray.buffer"); - /* Update obj's data slot if the array buffer moved. Note that during - * initialization, bufSlot may still be JSVAL_VOID. */ + // Update obj's data pointer if the array buffer moved. Note that during + // initialization, bufSlot may still contain |undefined|. if (bufSlot.isObject()) { ArrayBufferObject &buf = AsArrayBuffer(&bufSlot.toObject()); - if (buf.isNeutered()) { - // When a view is neutered, it is set to NULL - JS_ASSERT(obj->getPrivate() == nullptr); - } else { - int32_t offset = obj->getReservedSlot(BYTEOFFSET_SLOT).toInt32(); - obj->initPrivate(buf.dataPointer() + offset); - } + int32_t offset = obj->getReservedSlot(BYTEOFFSET_SLOT).toInt32(); + MOZ_ASSERT(buf.dataPointer() != nullptr); + obj->initPrivate(buf.dataPointer() + offset); } /* Update NEXT_VIEW_SLOT, if the view moved. */ @@ -905,14 +898,15 @@ ArrayBufferViewObject::trace(JSTracer *trc, JSObject *obj) } void -ArrayBufferViewObject::neuter(JSContext *cx) +ArrayBufferViewObject::neuter(void *newData) { + MOZ_ASSERT(newData != nullptr); if (is()) - as().neuter(); + as().neuter(newData); else if (is()) - as().neuter(cx); + as().neuter(newData); else - as().neuter(cx); + as().neuter(newData); } /* JS Friend API */ diff --git a/js/src/vm/ArrayBufferObject.h b/js/src/vm/ArrayBufferObject.h index f788c91c184..d7ce504045f 100644 --- a/js/src/vm/ArrayBufferObject.h +++ b/js/src/vm/ArrayBufferObject.h @@ -244,7 +244,7 @@ class ArrayBufferViewObject : public JSObject inline void setNextView(ArrayBufferViewObject *view); - void neuter(JSContext *cx); + void neuter(void *newData); static void trace(JSTracer *trc, JSObject *obj); @@ -275,13 +275,8 @@ InitArrayBufferViewDataPointer(ArrayBufferViewObject *obj, ArrayBufferObject *bu * private data rather than a slot to avoid alignment restrictions * on private Values. */ - - if (buffer->isNeutered()) { - JS_ASSERT(byteOffset == 0); - obj->initPrivate(nullptr); - } else { - obj->initPrivate(buffer->dataPointer() + byteOffset); - } + MOZ_ASSERT(buffer->dataPointer() != nullptr); + obj->initPrivate(buffer->dataPointer() + byteOffset); PostBarrierTypedArrayObject(obj); } diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp index 2d6e2d30882..3142dd508f0 100644 --- a/js/src/vm/TypedArrayObject.cpp +++ b/js/src/vm/TypedArrayObject.cpp @@ -105,12 +105,12 @@ TypedArrayObject::isArrayIndex(jsid id, uint32_t *ip) } void -TypedArrayObject::neuter(JSContext *cx) +TypedArrayObject::neuter(void *newData) { setSlot(LENGTH_SLOT, Int32Value(0)); setSlot(BYTELENGTH_SLOT, Int32Value(0)); setSlot(BYTEOFFSET_SLOT, Int32Value(0)); - setPrivate(nullptr); + setPrivate(newData); } ArrayBufferObject * @@ -2430,11 +2430,11 @@ DataViewObject::initClass(JSContext *cx) } void -DataViewObject::neuter() +DataViewObject::neuter(void *newData) { setSlot(BYTELENGTH_SLOT, Int32Value(0)); setSlot(BYTEOFFSET_SLOT, Int32Value(0)); - setPrivate(nullptr); + setPrivate(newData); } JSObject * diff --git a/js/src/vm/TypedArrayObject.h b/js/src/vm/TypedArrayObject.h index ea407516ee9..588084020d0 100644 --- a/js/src/vm/TypedArrayObject.h +++ b/js/src/vm/TypedArrayObject.h @@ -81,7 +81,7 @@ class TypedArrayObject : public ArrayBufferViewObject Value getElement(uint32_t index); bool setElement(ThreadSafeContext *cx, uint32_t index, const Value &value); - void neuter(JSContext *cx); + void neuter(void *newData); static uint32_t slotWidth(int atype) { switch (atype) { @@ -321,7 +321,7 @@ class DataViewObject : public ArrayBufferViewObject static bool write(JSContext *cx, Handle obj, CallArgs &args, const char *method); - void neuter(); + void neuter(void *newData); private: static const JSFunctionSpec jsfuncs[];