Bug 1527592 - Preserve callable/constructor flags when returning a dead object proxy from Compartment::wrap. r=evilpie,jorendorff

Differential Revision: https://phabricator.services.mozilla.com/D19945 --HG-- extra : moz-landing-system : lando
2024-10-11 12:25:53 +00:00 · 2019-02-19 10:11:27 +00:00 · 2019-02-19 10:11:27 +00:00 · f0d43beec0
commit f0d43beec0
parent 095c9d9c6f
4 changed files with 30 additions and 1 deletions
--- a/js/src/jit-test/tests/basic/bug1527592.js
+++ b/js/src/jit-test/tests/basic/bug1527592.js
@ -0,0 +1,7 @@
+// |jit-test| error:dead object
+var g1 = newGlobal();
+var g2 = newGlobal({newCompartment: true});
+var f = g2.Function("");
+nukeAllCCWs();
+var c = new class extends f {};
+c();
--- a/js/src/proxy/DeadObjectProxy.cpp
+++ b/js/src/proxy/DeadObjectProxy.cpp
@ -160,3 +160,18 @@ JSObject* js::NewDeadProxyObject(JSContext* cx, JSObject* origObj) {
  return NewProxyObject(cx, &DeadObjectProxy::singleton, target, nullptr,
                        ProxyOptions());
 }
+
+JSObject* js::NewDeadProxyObject(JSContext* cx, IsCallableFlag isCallable,
+                                 IsConstructorFlag isConstructor) {
+  int32_t flags = 0;
+  if (isCallable == IsCallableFlag::True) {
+    flags |= DeadObjectProxyIsCallable;
+  }
+  if (isConstructor == IsConstructorFlag::True) {
+    flags |= DeadObjectProxyIsConstructor;
+  }
+
+  RootedValue target(cx, Int32Value(flags));
+  return NewProxyObject(cx, &DeadObjectProxy::singleton, target, nullptr,
+                        ProxyOptions());
+}
--- a/js/src/proxy/DeadObjectProxy.h
+++ b/js/src/proxy/DeadObjectProxy.h
@ -89,6 +89,12 @@ Value DeadProxyTargetValue(ProxyObject* obj);

 JSObject* NewDeadProxyObject(JSContext* cx, JSObject* origObj = nullptr);

+enum class IsCallableFlag : bool { False, True };
+enum class IsConstructorFlag : bool { False, True };
+
+JSObject* NewDeadProxyObject(JSContext* cx, IsCallableFlag isCallable,
+                             IsConstructorFlag isConstructor);
+
 } /* namespace js */

 #endif /* proxy_DeadObjectProxy_h */
--- a/js/src/vm/Compartment.cpp
+++ b/js/src/vm/Compartment.cpp
@ -218,7 +218,8 @@ bool Compartment::getNonWrapperObjectForCurrentCompartment(
  // Disallow creating new wrappers if we nuked the object's realm or the
  // current compartment.
  if (!AllowNewWrapper(this, obj)) {
-    JSObject* res = NewDeadProxyObject(cx);
+    JSObject* res = NewDeadProxyObject(cx, IsCallableFlag(obj->isCallable()),
+                                       IsConstructorFlag(obj->isConstructor()));
    if (!res) {
      return false;
    }