Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-12-12 00:50:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1438556: [Part 2] Verify global wrapper not nuked r=tcampbell

Browse Source
This commit is contained in:
Matthew Gaudet 2018-04-30 10:14:35 -04:00 committed by Ted Campbell
parent 2f7b5c763f
commit 42f718290d
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
js/src/jit/BaselineCacheIRCompiler.cpp
View File

@ -9,6 +9,7 @@
#include "jit/CacheIR.h"
#include "jit/Linker.h"
#include "jit/SharedICHelpers.h"
#include "proxy/DeadObjectProxy.h"
#include "proxy/Proxy.h"
#include "jit/MacroAssembler-inl.h"
@ -286,13 +287,19 @@ bool
BaselineCacheIRCompiler::emitGuardCompartment()
{
Register obj = allocator.useRegister(masm, reader.objOperandId());
reader.stubOffset(); // Read global wrapper.
AutoScratchRegister scratch(allocator, masm);
FailurePath* failure;
if (!addFailurePath(&failure))
return false;
// Verify that the global wrapper is still valid, as
// it is pre-requisite for doing the compartment check.
Address globalWrapper(stubAddress(reader.stubOffset()));
masm.loadPtr(globalWrapper, scratch);
Address handlerAddr(scratch, ProxyObject::offsetOfHandler());
masm.branchPtr(Assembler::Equal, handlerAddr, ImmPtr(&DeadObjectProxy::singleton), failure->label());
Address addr(stubAddress(reader.stubOffset()));
masm.branchTestObjCompartment(Assembler::NotEqual, obj, addr, scratch, failure->label());
return true;

10
js/src/jit/IonCacheIRCompiler.cpp
View File

@ -13,6 +13,7 @@
#include "jit/JSJitFrameIter.h"
#include "jit/Linker.h"
#include "jit/SharedICHelpers.h"
#include "proxy/DeadObjectProxy.h"
#include "proxy/Proxy.h"
#include "jit/JSJitFrameIter-inl.h"
@ -678,15 +679,20 @@ bool
IonCacheIRCompiler::emitGuardCompartment()
{
Register obj = allocator.useRegister(masm, reader.objOperandId());
objectStubField(reader.stubOffset()); // Read global wrapper.
JSObject* globalWrapper = objectStubField(reader.stubOffset());
JSCompartment* compartment = compartmentStubField(reader.stubOffset());
AutoScratchRegister scratch(allocator, masm);
FailurePath* failure;
if (!addFailurePath(&failure))
return false;
// Verify that the global wrapper is still valid, as
// it is pre-requisite for doing the compartment check.
masm.movePtr(ImmGCPtr(globalWrapper), scratch);
Address handlerAddr(scratch, ProxyObject::offsetOfHandler());
masm.branchPtr(Assembler::Equal, handlerAddr, ImmPtr(&DeadObjectProxy::singleton), failure->label());
masm.branchTestObjCompartment(Assembler::NotEqual, obj, compartment, scratch,
failure->label());
return true;