Bug 1470181 - handle deserialization failure gracefully in JS IPC; r=evilpie
authorAlex Gaynor <agaynor@mozilla.com>
Thu, 21 Jun 2018 18:47:08 +0000
changeset 423265 91899c39ed9ed09aebc5883c30ed79a194c38d9a
parent 423264 927bbe6abacff9b55d54c9c52d6a656f0a46112b
child 423266 c1561409e431468169a6f22acaece537fe3de934
push id65409
push userrvandermeulen@mozilla.com
push dateThu, 21 Jun 2018 19:21:06 +0000
treeherderautoland@91899c39ed9e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersevilpie
bugs1470181
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1470181 - handle deserialization failure gracefully in JS IPC; r=evilpie This primarily effects the efficiency of fuzzing. Differential Revision: https://phabricator.services.mozilla.com/D1751
js/ipc/WrapperOwner.cpp
--- a/js/ipc/WrapperOwner.cpp
+++ b/js/ipc/WrapperOwner.cpp
@@ -1177,17 +1177,20 @@ WrapperOwner::fromObjectVariant(JSContex
         return fromLocalObjectVariant(cx, objVar.get_LocalObject());
     }
 }
 
 JSObject*
 WrapperOwner::fromRemoteObjectVariant(JSContext* cx, const RemoteObject& objVar)
 {
     Maybe<ObjectId> maybeObjId(ObjectId::deserialize(objVar.serializedId()));
-    MOZ_RELEASE_ASSERT(maybeObjId.isSome());
+    if (maybeObjId.isNothing()) {
+        return nullptr;
+    }
+
     ObjectId objId = maybeObjId.value();
     RootedObject obj(cx, findCPOWById(objId));
     if (!obj) {
 
         // All CPOWs live in the privileged junk scope.
         RootedObject junkScope(cx, xpc::PrivilegedJunkScope());
         JSAutoRealm ar(cx, junkScope);
         RootedValue v(cx, UndefinedValue());