Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-12-01 08:42:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1513665 - Add missing realm checks to some Array and Promise functions. r=anba

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D17511

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Jan de Mooij 2019-01-24 19:22:42 +00:00
parent 465dbfe030
commit e2fd8d6b38
3 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
js/src/builtin/Array.cpp
View File

@ -3677,9 +3677,13 @@ static bool ArrayFromCallArgs(JSContext* cx, CallArgs& args,
static bool array_of(JSContext* cx, unsigned argc, Value* vp) { static bool array_of(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp); CallArgs args = CallArgsFromVp(argc, vp);
if (IsArrayConstructor(args.thisv()) || !IsConstructor(args.thisv())) { bool isArrayConstructor =
// IsArrayConstructor(this) will usually be true in practice. This is IsArrayConstructor(args.thisv()) &&
// the most common path. args.thisv().toObject().nonCCWRealm() == cx->realm();
if (isArrayConstructor || !IsConstructor(args.thisv())) {
// isArrayConstructor will usually be true in practice. This is the most
// common path.
return ArrayFromCallArgs(cx, args); return ArrayFromCallArgs(cx, args);
} }

6
js/src/builtin/Promise.cpp
View File

@ -1236,7 +1236,8 @@ static MOZ_MUST_USE bool NewPromiseCapability(
// For Promise.all and Promise.race we can only optimize away the creation // For Promise.all and Promise.race we can only optimize away the creation
// of the GetCapabilitiesExecutor function, and directly allocate the // of the GetCapabilitiesExecutor function, and directly allocate the
// result promise instead of invoking the Promise constructor. // result promise instead of invoking the Promise constructor.
if (IsNativeFunction(cVal, PromiseConstructor)) { if (IsNativeFunction(cVal, PromiseConstructor) &&
cVal.toObject().nonCCWRealm() == cx->realm()) {
PromiseObject* promise; PromiseObject* promise;
if (canOmitResolutionFunctions) { if (canOmitResolutionFunctions) {
promise = CreatePromiseObjectWithoutResolutionFunctions(cx); promise = CreatePromiseObjectWithoutResolutionFunctions(cx);
@ -4065,7 +4066,8 @@ static bool Promise_catch_impl(JSContext* cx, unsigned argc, Value* vp,
return false; return false;
} }
if (IsNativeFunction(thenVal, &Promise_then)) { if (IsNativeFunction(thenVal, &Promise_then) &&
thenVal.toObject().nonCCWRealm() == cx->realm()) {
return Promise_then_impl(cx, thisVal, onFulfilled, onRejected, args.rval(), return Promise_then_impl(cx, thisVal, onFulfilled, onRejected, args.rval(),
rvalUsed); rvalUsed);
} }

24
js/src/jit-test/tests/realms/bug1513665.js Normal file
View File

@ -0,0 +1,24 @@
load(libdir + "asserts.js");
var g = newGlobal();
function testArrayOf() {
var a = Array.of.call(g.Array);
assertEq(a instanceof g.Array, true);
}
testArrayOf();
function testPromiseThen() {
var p = Promise.resolve(0);
p.constructor = g.Promise;
var r = p.then(() => {});
assertEq(r instanceof g.Promise, true);
}
testPromiseThen();
function testPromiseCatch() {
Boolean.prototype.then = g.Promise.prototype.then;
assertThrowsInstanceOf(() => Promise.prototype.catch.call(false),
g.TypeError);
}
testPromiseCatch();