Bug 1538542: Report an error in the transplant testing function when new wrappers can't be created. r=jandem

And also assert this case can't happen in the browser case.

Differential Revision: https://phabricator.services.mozilla.com/D24883

--HG--
extra : moz-landing-system : lando
This commit is contained in:
André Bargull 2019-03-28 17:27:49 +00:00
parent dc73603b46
commit 20cf72c49d
4 changed files with 43 additions and 3 deletions

View File

@ -2196,6 +2196,12 @@ void UpdateReflectorGlobal(JSContext* aCx, JS::Handle<JSObject*> aObjArg,
return;
}
// Assert it's possible to create wrappers when |aObj| and |newobj| are in
// different compartments.
MOZ_ASSERT_IF(
js::GetObjectCompartment(aObj) != js::GetObjectCompartment(newobj),
js::AllowNewWrapper(js::GetObjectCompartment(aObj), newobj));
JS::Rooted<JSObject*> propertyHolder(aCx);
JS::Rooted<JSObject*> copyFrom(aCx, isProxy ? expandoObject : aObj);
if (copyFrom) {

View File

@ -0,0 +1,13 @@
var lfOffThreadGlobal = newGlobal();
nukeAllCCWs();
const thisGlobal = this;
const otherGlobalNewCompartment = newGlobal({
newCompartment: true
});
let { transplant } = transplantableObject();
// Just don't crash.
try {
transplant(otherGlobalNewCompartment);
transplant(thisGlobal);
} catch {}

View File

@ -0,0 +1,13 @@
var lfOffThreadGlobal = newGlobal();
nukeAllCCWs();
const thisGlobal = this;
const otherGlobalNewCompartment = newGlobal({
newCompartment: false
});
let { transplant } = transplantableObject();
// Just don't crash.
try {
transplant(otherGlobalNewCompartment);
transplant(thisGlobal);
} catch {}

View File

@ -8142,9 +8142,11 @@ static bool TransplantObject(JSContext* cx, unsigned argc, Value* vp) {
// 1. Check the recursion depth using CheckRecursionLimitConservative.
// 2. Enter the target compartment.
// 3. Clone the source object using JS_CloneObject.
// 4. Copy all properties from source to a temporary holder object.
// 5. Actually transplant the object.
// 6. And finally copy the properties back to the source object.
// 4. Check if new wrappers can be created if source and target are in
// different compartments.
// 5. Copy all properties from source to a temporary holder object.
// 6. Actually transplant the object.
// 7. And finally copy the properties back to the source object.
//
// As an extension to the algorithm in UpdateReflectorGlobal, we also allow
// to transplant an object into the same compartment as the source object to
@ -8178,6 +8180,12 @@ static bool TransplantObject(JSContext* cx, unsigned argc, Value* vp) {
return false;
}
if (GetObjectCompartment(source) != GetObjectCompartment(target) &&
!AllowNewWrapper(GetObjectCompartment(source), target)) {
JS_ReportErrorASCII(cx, "Cannot transplant into nuked compartment");
return false;
}
RootedObject copyFrom(cx, isProxy ? expandoObject : source);
RootedObject propertyHolder(cx,
JS_NewObjectWithGivenProto(cx, nullptr, nullptr));