Bug 1518764: Handle dead proxies in intrinsic_ConstructorForTypedArray by switching to UnwrapAndDowncastValue. r=jandem
authorAndré Bargull <andre.bargull@gmail.com>
Wed, 09 Jan 2019 08:13:05 -0800
changeset 453278 ed68c008e5d8db0940a1fbc31bfc24efccba6c26
parent 453277 c9fcbe28afdadd45d371ba150ff9c1502a19c6e3
child 453279 335ad6821a2e7235c49f3936945f8f56ba1fabf6
child 453381 4049f219ced182cfa21194559b2dd17e48312af3
push id111070
push usercsabou@mozilla.com
push dateThu, 10 Jan 2019 18:50:22 +0000
treeherdermozilla-inbound@ed68c008e5d8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1518764
milestone66.0a1
first release with
nightly linux32
ed68c008e5d8 / 66.0a1 / 20190110214210 / files
nightly linux64
ed68c008e5d8 / 66.0a1 / 20190110214210 / files
nightly mac
ed68c008e5d8 / 66.0a1 / 20190110214210 / files
nightly win32
ed68c008e5d8 / 66.0a1 / 20190110214210 / files
nightly win64
ed68c008e5d8 / 66.0a1 / 20190110214210 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1518764: Handle dead proxies in intrinsic_ConstructorForTypedArray by switching to UnwrapAndDowncastValue. r=jandem
js/src/jit-test/tests/typedarray/bug1518764.js
js/src/vm/SelfHosting.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/typedarray/bug1518764.js
@@ -0,0 +1,8 @@
+// |jit-test| error:dead object
+
+var g = newGlobal();
+var ta = new g.Int32Array(1);
+Int32Array.prototype.filter.call(ta, function() {
+    nukeAllCCWs();
+    return true;
+});
--- a/js/src/vm/SelfHosting.cpp
+++ b/js/src/vm/SelfHosting.cpp
@@ -53,16 +53,17 @@
 #include "vm/Realm.h"
 #include "vm/RegExpObject.h"
 #include "vm/StringType.h"
 #include "vm/TypedArrayObject.h"
 #include "vm/WrapperObject.h"
 
 #include "gc/PrivateIterators-inl.h"
 #include "vm/BooleanObject-inl.h"
+#include "vm/Compartment-inl.h"
 #include "vm/JSAtom-inl.h"
 #include "vm/JSFunction-inl.h"
 #include "vm/JSObject-inl.h"
 #include "vm/JSScript-inl.h"
 #include "vm/NativeObject-inl.h"
 #include "vm/NumberObject-inl.h"
 #include "vm/StringObject-inl.h"
 
@@ -2102,19 +2103,20 @@ static bool intrinsic_IsConstructing(JSC
 }
 
 static bool intrinsic_ConstructorForTypedArray(JSContext* cx, unsigned argc,
                                                Value* vp) {
   CallArgs args = CallArgsFromVp(argc, vp);
   MOZ_ASSERT(args.length() == 1);
   MOZ_ASSERT(args[0].isObject());
 
-  RootedObject object(cx, &args[0].toObject());
-  object = CheckedUnwrap(object);
-  MOZ_ASSERT(object->is<TypedArrayObject>());
+  auto* object = UnwrapAndDowncastValue<TypedArrayObject>(cx, args[0]);
+  if (!object) {
+    return false;
+  }
 
   JSProtoKey protoKey = StandardProtoKeyOrNull(object);
   MOZ_ASSERT(protoKey);
 
   // While it may seem like an invariant that in any compartment,
   // seeing a typed array object implies that the TypedArray constructor
   // for that type is initialized on the compartment's global, this is not
   // the case. When we construct a typed array given a cross-compartment