Bug 1867941 - Add even more debugging code for diagnosing crash bug 1856672. r=sfink

We have a crash with JS_IsTypedArrayObject == true, JS_GetArrayBufferViewBuffer failed but the length is not too big. We need to figure out what value the buffer slot contains. Differential Revision: https://phabricator.services.mozilla.com/D195341
2023-12-04 07:20:25 +00:00 · 2023-12-04 07:20:25 +00:00 · 8efeebf519
commit 8efeebf519
parent aa7f6e50ee
1 changed files with 19 additions and 29 deletions
--- a/dom/bindings/TypedArray.h
+++ b/dom/bindings/TypedArray.h
@ -676,36 +676,26 @@ struct TypedArray_base : public SpiderMonkeyInterfaceObjectStorage,
        JSObject* buffer =
            JS_GetArrayBufferViewBuffer(jsapi.cx(), view, &unused);
        if (!buffer) {
-          JS::Value bufferSlot = JS::GetReservedSlot(view, /* BUFFER_SLOT */ 0);
-          if (!bufferSlot.isObject()) {
-            if (JS_IsTypedArrayObject(view)) {
-              // ensureBufferObject would try to create a buffer, check length
-#  ifdef JS_64BIT
-              if (JS_GetArrayBufferViewByteLength(view) >
-                  size_t(8) * 1024 * 1024 * 1024) {
-                MOZ_CRASH(
-                    "Creating buffer for TypedArrayObject would fail (length "
-                    "is too large on 64-bit)");
-              }
-#  else
-              if (JS_GetArrayBufferViewByteLength(view) > INT32_MAX) {
-                MOZ_CRASH(
-                    "Creating buffer for TypedArrayObject would fail (length "
-                    "is too large on 32-bit)");
-              }
-#  endif
-            } else if (bufferSlot.isNull()) {
-              MOZ_CRASH("DataView with bufferSlot containing null");
-            } else if (bufferSlot.isBoolean()) {
-              MOZ_CRASH("DataView with bufferSlot containing boolean");
-            } else {
-              MOZ_CRASH("Huh?");
-            }
-          }
          if (JS_IsTypedArrayObject(view)) {
-            MOZ_CRASH(
-                "JS_GetArrayBufferViewBuffer failed for TypedArrayObject, "
-                "calling ensureBufferObject but length checked out ok?");
+            JS::Value bufferSlot =
+                JS::GetReservedSlot(view, /* BUFFER_SLOT */ 0);
+            if (bufferSlot.isNull()) {
+              MOZ_CRASH("TypedArrayObject with bufferSlot containing null");
+            } else if (bufferSlot.isBoolean()) {
+              MOZ_CRASH("TypedArrayObject with bufferSlot containing boolean");
+            } else if (bufferSlot.isObject()) {
+              if (!bufferSlot.toObjectOrNull()) {
+                MOZ_CRASH(
+                    "TypedArrayObject with bufferSlot containing null object");
+              } else {
+                MOZ_CRASH(
+                    "JS_GetArrayBufferViewBuffer failed but bufferSlot "
+                    "contains a non-null object");
+              }
+            } else {
+              MOZ_CRASH(
+                  "TypedArrayObject with bufferSlot containing weird value");
+            }
          } else {
            MOZ_CRASH("JS_GetArrayBufferViewBuffer failed for DataViewObject");
          }