Bug 1525346 followup. Fix the assertEnteredPolicy failure to reopen the CLOSED TREE.

2024-10-22 09:45:41 +00:00 · 2019-02-06 15:51:28 -05:00 · 2019-02-06 15:51:28 -05:00 · eed069177d
commit eed069177d
parent 4399f97fbf
4 changed files with 21 additions and 8 deletions
--- a/dom/base/MaybeCrossOriginObject.cpp
+++ b/dom/base/MaybeCrossOriginObject.cpp
@ -437,14 +437,21 @@ JSObject* MaybeCrossOriginObject<Base>::enumerate(
  // CrossOriginObjectWrapper, but we'd still need special-case code here, so
  // let's just do all the work here.
  //
-  // BaseProxyHandler::enumerate does the right thing, as long as we make sure
-  // we pass the right object to it.
+  // BaseProxyHandler::enumerate would do the right thing if we passed the right
+  // object to it, but it would assert that we've entered the policy of the
+  // proxy we passed it, which may be a CCW, not us, and the policy we actually
+  // entered is ours.  So we basically reimplemnt it, but without that assert.
  JS::Rooted<JSObject*> self(cx, proxy);
  if (!MaybeWrapObject(cx, &self)) {
    return nullptr;
  }

-  return js::BaseProxyHandler::enumerate(cx, self);
+  js::AutoIdVector props(cx);
+  if (!js::GetPropertyKeys(cx, self, 0, &props)) {
+    return nullptr;
+  }
+
+  return js::EnumeratedIdVectorToIterator(cx, self, props);
 }

 // Force instantiations of the out-of-line template methods we need.
--- a/js/src/jsfriendapi.h
+++ b/js/src/jsfriendapi.h
@ -2798,6 +2798,12 @@ extern JS_FRIEND_API void LogDtor(void* self, const char* type, uint32_t sz);
 */
 extern JS_FRIEND_API uint64_t GetGCHeapUsageForObjectZone(JSObject* obj);

+/**
+ * Create an iterator for the given list of props and the given object
+ * being iterated.
+ */
+extern JS_FRIEND_API JSObject* EnumeratedIdVectorToIterator(
+    JSContext* cx, JS::HandleObject obj, JS::AutoIdVector& props);
 } /* namespace js */

 #endif /* jsfriendapi_h */
--- a/js/src/vm/Iteration.cpp
+++ b/js/src/vm/Iteration.cpp
@ -798,6 +798,8 @@ static inline PropertyIteratorObject* VectorToKeyIterator(JSContext* cx,
                                                          HandleObject obj,
                                                          AutoIdVector& props,
                                                          uint32_t numGuards) {
+  MOZ_ASSERT(cx->compartment() == obj->compartment(),
+             "We may end up allocating shapes in the wrong zone!");
  if (obj->isSingleton() && !JSObject::setIteratedSingleton(cx, obj)) {
    return nullptr;
  }
@ -806,8 +808,9 @@ static inline PropertyIteratorObject* VectorToKeyIterator(JSContext* cx,
  return CreatePropertyIterator(cx, obj, props, numGuards, 0);
 }

-JSObject* js::EnumeratedIdVectorToIterator(JSContext* cx, HandleObject obj,
-                                           AutoIdVector& props) {
+JS_FRIEND_API JSObject* js::EnumeratedIdVectorToIterator(JSContext* cx,
+                                                         HandleObject obj,
+                                                         AutoIdVector& props) {
  return VectorToKeyIterator(cx, obj, props, 0);
 }

--- a/js/src/vm/Iteration.h
+++ b/js/src/vm/Iteration.h
@ -369,9 +369,6 @@ JSObject* GetIterator(JSContext* cx, HandleObject obj);

 PropertyIteratorObject* LookupInIteratorCache(JSContext* cx, HandleObject obj);

-JSObject* EnumeratedIdVectorToIterator(JSContext* cx, HandleObject obj,
-                                       AutoIdVector& props);
-
 JSObject* NewEmptyPropertyIterator(JSContext* cx);

 JSObject* ValueToIterator(JSContext* cx, HandleValue vp);