Bug 580128. Add more asserts to the interpreter to check that we're on the right compartment. r=mrbkap@gmail.com
authorAndreas Gal <gal@uci.edu>
Sun, 10 Oct 2010 15:38:13 -0700
changeset 55638 da920820ad253835562ae47a3c9c8c2edfb690a5
parent 55637 054d4492ad30ddd285fbef51f99d8c4670d27cad
child 55639 0be1bd4a843e47023379bcafabedd293446546c2
push id16269
push userjst@mozilla.com
push dateThu, 14 Oct 2010 01:40:35 +0000
treeherdermozilla-central@29c228a4d7eb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap
bugs580128
milestone2.0b8pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 580128. Add more asserts to the interpreter to check that we're on the right compartment. r=mrbkap@gmail.com
js/src/jsinterp.cpp
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -1854,25 +1854,25 @@ namespace reprmeter {
                 fprintf(f, ",%s", reprName[o.uses[i]]);
             fprintf(f, ",%llu\n", c);
         }
         fclose(f);
     }
 }
 #endif /* JS_REPRMETER */
 
-#define PUSH_COPY(v)             *regs.sp++ = v
+#define PUSH_COPY(v)             do { *regs.sp++ = v; assertSameCompartment(cx, regs.sp[-1]); } while (0)
 #define PUSH_NULL()              regs.sp++->setNull()
 #define PUSH_UNDEFINED()         regs.sp++->setUndefined()
 #define PUSH_BOOLEAN(b)          regs.sp++->setBoolean(b)
 #define PUSH_DOUBLE(d)           regs.sp++->setDouble(d)
 #define PUSH_INT32(i)            regs.sp++->setInt32(i)
-#define PUSH_STRING(s)           regs.sp++->setString(s)
-#define PUSH_OBJECT(obj)         regs.sp++->setObject(obj)
-#define PUSH_OBJECT_OR_NULL(obj) regs.sp++->setObjectOrNull(obj)
+#define PUSH_STRING(s)           do { regs.sp++->setString(s); assertSameCompartment(cx, regs.sp[-1]); } while (0)
+#define PUSH_OBJECT(obj)         do { regs.sp++->setObject(obj); assertSameCompartment(cx, regs.sp[-1]); } while (0)
+#define PUSH_OBJECT_OR_NULL(obj) do { regs.sp++->setObjectOrNull(obj); assertSameCompartment(cx, regs.sp[-1]); } while (0)
 #define PUSH_HOLE()              regs.sp++->setMagic(JS_ARRAY_HOLE)
 #define POP_COPY_TO(v)           v = *--regs.sp
 #define POP_RETURN_VALUE()       regs.fp->setReturnValue(*--regs.sp)
 
 #define POP_BOOLEAN(cx, vp, b)                                                \
     JS_BEGIN_MACRO                                                            \
         vp = &regs.sp[-1];                                                    \
         if (vp->isNull()) {                                                   \
@@ -4088,16 +4088,17 @@ BEGIN_CASE(JSOP_GETXPROP)
                                         : JSGET_CACHE_RESULT | JSGET_METHOD_BARRIER,
                                         &rval)
                 : !obj->getProperty(cx, id, &rval)) {
                 goto error;
             }
         } while (0);
 
         regs.sp[-1] = rval;
+        assertSameCompartment(cx, regs.sp[-1]);
         JS_ASSERT(JSOP_GETPROP_LENGTH + i == js_CodeSpec[op].length);
         len = JSOP_GETPROP_LENGTH + i;
     }
 END_VARLEN_CASE
 
 BEGIN_CASE(JSOP_LENGTH)
     vp = &regs.sp[-1];
     if (vp->isString()) {
@@ -4165,16 +4166,17 @@ BEGIN_CASE(JSOP_CALLPROP)
             JS_ASSERT(obj2->containsSlot(slot));
             rval = obj2->lockedGetSlot(slot);
         } else {
             JS_ASSERT(entry->vword.isShape());
             const Shape *shape = entry->vword.toShape();
             NATIVE_GET(cx, &objv.toObject(), obj2, shape, JSGET_NO_METHOD_BARRIER, &rval);
         }
         regs.sp[-1] = rval;
+        assertSameCompartment(cx, regs.sp[-1]);
         PUSH_COPY(lval);
         goto end_callprop;
     }
 
     /*
      * Cache miss: use the immediate atom that was loaded for us under
      * PropertyCache::test.
      */
@@ -4187,25 +4189,27 @@ BEGIN_CASE(JSOP_CALLPROP)
                           JS_LIKELY(!aobj->getOps()->getProperty)
                           ? JSGET_CACHE_RESULT | JSGET_NO_METHOD_BARRIER
                           : JSGET_NO_METHOD_BARRIER,
                           &rval)) {
             goto error;
         }
         regs.sp[-1] = objv;
         regs.sp[-2] = rval;
+        assertSameCompartment(cx, regs.sp[-1], regs.sp[-2]);
     } else {
         JS_ASSERT(!objv.toObject().getOps()->getProperty);
         if (!js_GetPropertyHelper(cx, &objv.toObject(), id,
                                   JSGET_CACHE_RESULT | JSGET_NO_METHOD_BARRIER,
                                   &rval)) {
             goto error;
         }
         regs.sp[-1] = lval;
         regs.sp[-2] = rval;
+        assertSameCompartment(cx, regs.sp[-1], regs.sp[-2]);
     }
 
   end_callprop:
     /* Wrap primitive lval in object clothing if necessary. */
     if (lval.isPrimitive()) {
         /* FIXME: https://bugzilla.mozilla.org/show_bug.cgi?id=412571 */
         JSObject *funobj;
         if (!IsFunctionObject(rval, &funobj) ||
@@ -4467,16 +4471,17 @@ BEGIN_CASE(JSOP_GETELEM)
 
     if (!obj->getProperty(cx, id, &rval))
         goto error;
     copyFrom = &rval;
 
   end_getelem:
     regs.sp--;
     regs.sp[-1] = *copyFrom;
+    assertSameCompartment(cx, regs.sp[-1]);
 }
 END_CASE(JSOP_GETELEM)
 
 BEGIN_CASE(JSOP_CALLELEM)
 {
     /* Fetch the left part and resolve it to a non-null object. */
     JSObject *obj;
     FETCH_OBJECT(cx, -2, obj);
@@ -5841,16 +5846,17 @@ BEGIN_CASE(JSOP_SETTER)
 
     if (!obj->defineProperty(cx, id, UndefinedValue(), getter, setter, attrs))
         goto error;
 
     regs.sp += i;
     if (js_CodeSpec[op2].ndefs > js_CodeSpec[op2].nuses) {
         JS_ASSERT(js_CodeSpec[op2].ndefs == js_CodeSpec[op2].nuses + 1);
         regs.sp[-1] = rval;
+        assertSameCompartment(cx, regs.sp[-1]);
     }
     len = js_CodeSpec[op2].length;
     DO_NEXT_OP(len);
 }
 
 BEGIN_CASE(JSOP_HOLE)
     PUSH_HOLE();
 END_CASE(JSOP_HOLE)