Bug 1252511 - Fix faulty assertion involving user-defined structured clone tags, r=terrence
authorSteve Fink <sfink@mozilla.com>
Fri, 22 Jul 2016 16:48:35 -0700
changeset 307074 3ed34ab50aca0dfaaf5ee9b4690b2409a9ea834c
parent 307073 96527a436bd86b0d83bb4f73b17c21b847ed40d7
child 307075 cb8fa39583a98b02fe0f990369a9c70e42e9b276
push id80018
push usersfink@mozilla.com
push dateThu, 28 Jul 2016 18:32:47 +0000
treeherdermozilla-inbound@3ed34ab50aca [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersterrence
bugs1252511
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1252511 - Fix faulty assertion involving user-defined structured clone tags, r=terrence This previously asserted that the entry after the transfer map, if nonempty, contained a tag less than SCTAG_TRANSFER_MAP_HEADER, as that is where all of the standard tags live. However, user-defined tags start *above* the transfer map entries, so if the first object serialized was a user-defined object (eg a Blob), the assertion would fail. MozReview-Commit-ID: KJqHoH22MW4
js/src/vm/StructuredClone.cpp
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -1375,18 +1375,25 @@ JSStructuredCloneWriter::transferOwnersh
         }
 
         LittleEndian::writeUint64(point++, PairToUInt64(tag, ownership));
         LittleEndian::writeUint64(point++, reinterpret_cast<uint64_t>(content));
         LittleEndian::writeUint64(point++, extraData);
     }
 
     MOZ_ASSERT(point <= out.rawBuffer() + out.count());
-    MOZ_ASSERT_IF(point < out.rawBuffer() + out.count(),
-                  uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER);
+#if DEBUG
+    // Make sure there aren't any more transfer map entries after the expected
+    // number we read out.
+    if (point < out.rawBuffer() + out.count()) {
+        uint32_t tag, data;
+        SCInput::getPair(point, &tag, &data);
+        MOZ_ASSERT(tag < SCTAG_TRANSFER_MAP_HEADER || tag >= SCTAG_TRANSFER_MAP_END_OF_BUILTIN_TYPES);
+    }
+#endif
 
     return true;
 }
 
 bool
 JSStructuredCloneWriter::write(HandleValue v)
 {
     if (!startWrite(v))