Bug 1527900 - Throw exception if StructuredClone sees bigint in realm without bigint r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D21206 --HG-- extra : moz-landing-system : lando
2024-10-22 01:35:35 +00:00 · 2019-03-01 10:01:33 +00:00 · 2019-03-01 10:01:33 +00:00 · 5dc4cb3a7d
commit 5dc4cb3a7d
parent 42532f4e8e
5 changed files with 46 additions and 0 deletions
--- a/js/src/js.msg
+++ b/js/src/js.msg
@ -688,6 +688,7 @@ MSG_DEF(JSMSG_BIGINT_NEGATIVE_EXPONENT, 0, JSEXN_RANGEERR, "BigInt negative expo
 MSG_DEF(JSMSG_BIGINT_INVALID_SYNTAX, 0, JSEXN_SYNTAXERR, "invalid BigInt syntax")
 MSG_DEF(JSMSG_NOT_BIGINT, 0, JSEXN_TYPEERR, "not a BigInt")
 MSG_DEF(JSMSG_BIGINT_NOT_SERIALIZABLE, 0, JSEXN_TYPEERR, "BigInt value can't be serialized in JSON")
+MSG_DEF(JSMSG_SC_BIGINT_DISABLED, 0, JSEXN_ERR, "BigInt not cloned - feature disabled in receiver")

 // BinAST
 MSG_DEF(JSMSG_BINAST,                                    1, JSEXN_SYNTAXERR, "BinAST Parsing Error: {0}")
--- a/js/src/shell/fuzz-flags.txt
+++ b/js/src/shell/fuzz-flags.txt
@ -43,6 +43,9 @@
 --spectre-mitigations=on
 --more-compartments

+# Experimental JS language features
+--no-bigint
+
 # GC-related
 # These 2 flags can cause the shell to slow down
 # --gc-zeal=2
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@ -6169,6 +6169,13 @@ static bool NewGlobal(JSContext* cx, unsigned argc, Value* vp) {
      behaviors.setDisableLazyParsing(v.toBoolean());
    }

+    if (!JS_GetProperty(cx, opts, "enableBigInt", &v)) {
+      return false;
+    }
+    if (v.isBoolean()) {
+      creationOptions.setBigIntEnabled(v.toBoolean());
+    }
+
    if (!JS_GetProperty(cx, opts, "systemPrincipal", &v)) {
      return false;
    }
--- a/js/src/tests/non262/extensions/clone-bigint.js
+++ b/js/src/tests/non262/extensions/clone-bigint.js
@ -0,0 +1,29 @@
+// |reftest| skip-if(!xulRuntime.shell)
+// -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/licenses/publicdomain/
+
+function testBigInt(b) {
+    var a = deserialize(serialize(b));
+    assertEq(typeof b, "bigint");
+    assertEq(typeof a, "bigint");
+    assertEq(a, b);
+}
+
+testBigInt(0n);
+testBigInt(-1n);
+testBigInt(1n);
+
+testBigInt(0xffffFFFFffffFFFFffffFFFFffffFFFFn);
+testBigInt(-0xffffFFFFffffFFFFffffFFFFffffFFFFn);
+
+var g = newGlobal({ enableBigInt: false, sameCompartmentAs: this });
+var deserializeNoBigInt = g.evaluate("deserialize");
+
+assertEq(deserializeNoBigInt(serialize(1)), 1);
+assertThrows(() => deserializeNoBigInt(serialize(1n)))
+assertThrows(() => deserializeNoBigInt(serialize(0n)))
+assertThrows(() => deserializeNoBigInt(serialize(0xffffffn)))
+assertThrows(() => deserializeNoBigInt(serialize(-1n)))
+
+reportCompare(0, 0, 'ok');
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@ -2043,6 +2043,12 @@ JSString* JSStructuredCloneReader::readString(uint32_t data) {
 }

 BigInt* JSStructuredCloneReader::readBigInt(uint32_t data) {
+  if (!context()->realm()->creationOptions().getBigIntEnabled()) {
+    JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr,
+                              JSMSG_SC_BIGINT_DISABLED);
+    return nullptr;
+  }
+
  size_t length = data & JS_BITMASK(31);
  bool isNegative = data & (1 << 31);
  if (length == 0) {