Bug 1525673. Don't assume that same-compartment means same-realm in WrapNewBindingNonWrapperCache. r=peterv
authorBoris Zbarsky <bzbarsky@mit.edu>
Mon, 11 Feb 2019 13:33:23 +0000
changeset 458508 100d9de169abb02adbdef29a056ea3ce45a74d95
parent 458507 d7989f40291e2d1551e4e86c611e9b5cde008da5
child 458509 4c4f5992c89e31b32a14df8663d9ff1a71f326a0
push id111855
push userbtara@mozilla.com
push dateMon, 11 Feb 2019 22:01:49 +0000
treeherdermozilla-inbound@42a097167d36 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerspeterv
bugs1525673
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1525673. Don't assume that same-compartment means same-realm in WrapNewBindingNonWrapperCache. r=peterv Differential Revision: https://phabricator.services.mozilla.com/D18863
dom/bindings/BindingUtils.h
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -1166,18 +1166,24 @@ inline bool WrapNewBindingNonWrapperCach
       // there, so we need to succeed if that realm has access to the scope.
       scope =
           js::CheckedUnwrapDynamic(scope, cx, /* stopAtWindowProxy = */ false);
       if (!scope) return false;
       ar.emplace(cx, scope);
       if (!JS_WrapObject(cx, &proto)) {
         return false;
       }
+    } else {
+      // cx and scope are same-compartment, but they might still be
+      // different-Realm.  Enter the Realm of scope, since that's
+      // where we want to create our object.
+      ar.emplace(cx, scope);
     }
 
+    MOZ_ASSERT_IF(proto, js::IsObjectInContextCompartment(proto, cx));
     MOZ_ASSERT(js::IsObjectInContextCompartment(scope, cx));
     if (!value->WrapObject(cx, proto, &obj)) {
       return false;
     }
   }
 
   // We can end up here in all sorts of compartments, per above.  Make
   // sure to JS_WrapValue!
@@ -1218,18 +1224,24 @@ inline bool WrapNewBindingNonWrapperCach
       // there, so we need to succeed if that realm has access to the scope.
       scope =
           js::CheckedUnwrapDynamic(scope, cx, /* stopAtWindowProxy = */ false);
       if (!scope) return false;
       ar.emplace(cx, scope);
       if (!JS_WrapObject(cx, &proto)) {
         return false;
       }
+    } else {
+      // cx and scope are same-compartment, but they might still be
+      // different-Realm.  Enter the Realm of scope, since that's
+      // where we want to create our object.
+      ar.emplace(cx, scope);
     }
 
+    MOZ_ASSERT_IF(proto, js::IsObjectInContextCompartment(proto, cx));
     MOZ_ASSERT(js::IsObjectInContextCompartment(scope, cx));
     if (!value->WrapObject(cx, proto, &obj)) {
       return false;
     }
 
     value.forget();
   }