mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-04 19:33:18 +00:00
Bug 1538542: Report an error in the transplant testing function when new wrappers can't be created. r=jandem
And also assert this case can't happen in the browser case. Differential Revision: https://phabricator.services.mozilla.com/D24883 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
dc73603b46
commit
20cf72c49d
@ -2196,6 +2196,12 @@ void UpdateReflectorGlobal(JSContext* aCx, JS::Handle<JSObject*> aObjArg,
|
||||
return;
|
||||
}
|
||||
|
||||
// Assert it's possible to create wrappers when |aObj| and |newobj| are in
|
||||
// different compartments.
|
||||
MOZ_ASSERT_IF(
|
||||
js::GetObjectCompartment(aObj) != js::GetObjectCompartment(newobj),
|
||||
js::AllowNewWrapper(js::GetObjectCompartment(aObj), newobj));
|
||||
|
||||
JS::Rooted<JSObject*> propertyHolder(aCx);
|
||||
JS::Rooted<JSObject*> copyFrom(aCx, isProxy ? expandoObject : aObj);
|
||||
if (copyFrom) {
|
||||
|
13
js/src/jit-test/tests/auto-regress/bug1538542-1.js
Normal file
13
js/src/jit-test/tests/auto-regress/bug1538542-1.js
Normal file
@ -0,0 +1,13 @@
|
||||
var lfOffThreadGlobal = newGlobal();
|
||||
nukeAllCCWs();
|
||||
const thisGlobal = this;
|
||||
const otherGlobalNewCompartment = newGlobal({
|
||||
newCompartment: true
|
||||
});
|
||||
let { transplant } = transplantableObject();
|
||||
|
||||
// Just don't crash.
|
||||
try {
|
||||
transplant(otherGlobalNewCompartment);
|
||||
transplant(thisGlobal);
|
||||
} catch {}
|
13
js/src/jit-test/tests/auto-regress/bug1538542-2.js
Normal file
13
js/src/jit-test/tests/auto-regress/bug1538542-2.js
Normal file
@ -0,0 +1,13 @@
|
||||
var lfOffThreadGlobal = newGlobal();
|
||||
nukeAllCCWs();
|
||||
const thisGlobal = this;
|
||||
const otherGlobalNewCompartment = newGlobal({
|
||||
newCompartment: false
|
||||
});
|
||||
let { transplant } = transplantableObject();
|
||||
|
||||
// Just don't crash.
|
||||
try {
|
||||
transplant(otherGlobalNewCompartment);
|
||||
transplant(thisGlobal);
|
||||
} catch {}
|
@ -8142,9 +8142,11 @@ static bool TransplantObject(JSContext* cx, unsigned argc, Value* vp) {
|
||||
// 1. Check the recursion depth using CheckRecursionLimitConservative.
|
||||
// 2. Enter the target compartment.
|
||||
// 3. Clone the source object using JS_CloneObject.
|
||||
// 4. Copy all properties from source to a temporary holder object.
|
||||
// 5. Actually transplant the object.
|
||||
// 6. And finally copy the properties back to the source object.
|
||||
// 4. Check if new wrappers can be created if source and target are in
|
||||
// different compartments.
|
||||
// 5. Copy all properties from source to a temporary holder object.
|
||||
// 6. Actually transplant the object.
|
||||
// 7. And finally copy the properties back to the source object.
|
||||
//
|
||||
// As an extension to the algorithm in UpdateReflectorGlobal, we also allow
|
||||
// to transplant an object into the same compartment as the source object to
|
||||
@ -8178,6 +8180,12 @@ static bool TransplantObject(JSContext* cx, unsigned argc, Value* vp) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (GetObjectCompartment(source) != GetObjectCompartment(target) &&
|
||||
!AllowNewWrapper(GetObjectCompartment(source), target)) {
|
||||
JS_ReportErrorASCII(cx, "Cannot transplant into nuked compartment");
|
||||
return false;
|
||||
}
|
||||
|
||||
RootedObject copyFrom(cx, isProxy ? expandoObject : source);
|
||||
RootedObject propertyHolder(cx,
|
||||
JS_NewObjectWithGivenProto(cx, nullptr, nullptr));
|
||||
|
Loading…
Reference in New Issue
Block a user