Bug 1520536 - Handle same-compartment wrappers in TypedArrayObjectTemplate<T>::fromTypedArray. r=anba
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 17 Jan 2019 09:13:25 +0000
changeset 454274 494b88d492b13cdb790e6f503635db5bc022e8c2
parent 454273 655570f6b2eb5bcc1683e8846e2b90d6e81a7d54
child 454275 66959f0748b4847b9ef074d9665de4aa70eba2a7
push id76265
push userjdemooij@mozilla.com
push dateThu, 17 Jan 2019 11:38:36 +0000
treeherderautoland@494b88d492b1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba
bugs1520536
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1520536 - Handle same-compartment wrappers in TypedArrayObjectTemplate<T>::fromTypedArray. r=anba Differential Revision: https://phabricator.services.mozilla.com/D16796
js/src/jit-test/tests/typedarray/bug1520536.js
js/src/vm/TypedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/typedarray/bug1520536.js
@@ -0,0 +1,3 @@
+let a = wrapWithProto(new Int16Array([300]), {});
+let b = new Uint8ClampedArray(a);
+assertEq(b[0], 255);
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -1075,19 +1075,20 @@ template <typename T>
     if (!unwrapped) {
       ReportAccessDenied(cx);
       return nullptr;
     }
 
     srcArray = &unwrapped->as<TypedArrayObject>();
   }
 
-  // To keep things simpler, we always reify the array buffer for
-  // cross-realm typed arrays.
-  if (cx->realm() != srcArray->realm()) {
+  // To keep things simpler, we always reify the array buffer for cross-realm or
+  // wrapped typed arrays. Note: isWrapped does not imply cross-realm, because
+  // of same-compartment wrappers.
+  if (cx->realm() != srcArray->realm() || isWrapped) {
     if (!TypedArrayObject::ensureHasBuffer(cx, srcArray)) {
       return nullptr;
     }
   }
 
   // Step 6 (skipped).
 
   // Step 7.