Bug 743854 - Do not call init on ArrayBuffer slots in NewObject. r=billm

ArrayBuffers use slotSpan to store their inline size. If we try to initialize these, then we end up with their address in the StoreBuffer, but with arbitrary bytes written in these fields by TypeArrays. This patch uses an exact class test to prevent this initialization behavior. --HG-- extra : rebase_source : 8aacef597dc7456c5e1e08524c84bbb0932b9a68

Bug 743854 - Do not call init on ArrayBuffer slots in NewObject. r=billm
287d0a61 · Terrence Cole · d999c3fb · 287d0a61
Commit 287d0a61 authored 12 years ago by Terrence Cole
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -862,10 +862,12 @@ JSObject::create(JSContext *cx, js::gc::AllocKind kind,
    obj->slots = slots;
    obj->elements = js::emptyObjectElements;

-    if (shape->getObjectClass()->hasPrivate())
+    const js::Class *clasp = shape->getObjectClass();
+    if (clasp->hasPrivate())
        obj->privateRef(shape->numFixedSlots()) = NULL;

-    if (size_t span = shape->slotSpan())
+    size_t span = shape->slotSpan();
+    if (span && clasp != &js::ArrayBufferClass)
        obj->initializeSlotRange(0, span);

    return obj;