Bug 1518753 part 3 - Fix TypedArrayObject::ensureHasBuffer to create the buffer in the array's realm. r=anba
authorJan de Mooij <jdemooij@mozilla.com>
Sat, 12 Jan 2019 10:49:58 +0000
changeset 453629 b32c2548fa6b
parent 453628 92f0cf276198
child 453630 1d49da4facd7
push id35362
push userncsoregi@mozilla.com
push dateSat, 12 Jan 2019 21:35:38 +0000
treeherdermozilla-central@877169d8ef49 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba
bugs1518753
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1518753 part 3 - Fix TypedArrayObject::ensureHasBuffer to create the buffer in the array's realm. r=anba Differential Revision: https://phabricator.services.mozilla.com/D16168
js/src/jit-test/tests/realms/basic.js
js/src/vm/TypedArrayObject.cpp
--- a/js/src/jit-test/tests/realms/basic.js
+++ b/js/src/jit-test/tests/realms/basic.js
@@ -63,8 +63,18 @@ function testCCWs() {
     g2.o2 = {x: 2};
     g1 = null;
     gc();
     g2.o3 = {x: 3};
     assertEq(g2.o2.x, 2);
     assertEq(g2.o3.x, 3);
 }
 testCCWs();
+
+function testTypedArrayLazyBuffer(global) {
+    var arr1 = new global.Int32Array(1);
+    var arr2 = new Int32Array(arr1);
+    assertEq(objectGlobal(arr2.buffer), this);
+    global.buf = arr1.buffer;
+    global.eval("assertEq(objectGlobal(buf), this);");
+}
+testTypedArrayLazyBuffer(newGlobal());
+testTypedArrayLazyBuffer(newGlobal({sameCompartmentAs: this}));
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -72,16 +72,17 @@ using mozilla::IsAsciiDigit;
 }
 
 /* static */ bool TypedArrayObject::ensureHasBuffer(
     JSContext* cx, Handle<TypedArrayObject*> tarray) {
   if (tarray->hasBuffer()) {
     return true;
   }
 
+  AutoRealm ar(cx, tarray);
   Rooted<ArrayBufferObject*> buffer(
       cx, ArrayBufferObject::create(cx, tarray->byteLength()));
   if (!buffer) {
     return false;
   }
 
   // Attaching the first view to an array buffer is infallible.
   MOZ_ALWAYS_TRUE(buffer->addView(cx, tarray));
@@ -1078,22 +1079,22 @@ template <typename T>
     srcArray = &other->as<TypedArrayObject>();
   } else {
     RootedObject unwrapped(cx, CheckedUnwrap(other));
     if (!unwrapped) {
       ReportAccessDenied(cx);
       return nullptr;
     }
 
-    JSAutoRealm ar(cx, unwrapped);
+    srcArray = &unwrapped->as<TypedArrayObject>();
+  }
 
-    srcArray = &unwrapped->as<TypedArrayObject>();
-
-    // To keep things simpler, we always reify the array buffer for
-    // wrapped typed arrays.
+  // To keep things simpler, we always reify the array buffer for
+  // cross-realm typed arrays.
+  if (cx->realm() != srcArray->realm()) {
     if (!TypedArrayObject::ensureHasBuffer(cx, srcArray)) {
       return nullptr;
     }
   }
 
   // Step 6 (skipped).
 
   // Step 7.