Bug 1234428 - findPath wrap cross-compartment objects. r=jonco
authorNicolas B. Pierron <nicolas.b.pierron@mozilla.com>
Tue, 12 Jan 2016 11:23:49 +0000
changeset 320906 560d53d75ad66dbb358458305629c7018109e17c
parent 320905 a88bb7a3700c396caab67b6ea1979209089c8930
child 320907 a447e705ccc54ffc04d26c9ec8e63d3e7f1dcef0
push id9315
push useratolfsen@mozilla.com
push dateTue, 12 Jan 2016 19:08:25 +0000
reviewersjonco
bugs1234428
milestone46.0a1
Bug 1234428 - findPath wrap cross-compartment objects. r=jonco
js/src/builtin/TestingFunctions.cpp
js/src/jit-test/tests/self-test/findPath-bug1234428.js
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -2492,17 +2492,21 @@ FindPath(JSContext* cx, unsigned argc, V
     // Walk |nodes| and |edges| in the stored order, and construct the result
     // array in start-to-target order.
     for (size_t i = 0; i < length; i++) {
         // Build an object describing the node and edge.
         RootedObject obj(cx, NewBuiltinClassInstance<PlainObject>(cx));
         if (!obj)
             return false;
 
-        if (!JS_DefineProperty(cx, obj, "node", nodes[i],
+        RootedValue wrapped(cx, nodes[i]);
+        if (!cx->compartment()->wrap(cx, &wrapped))
+            return false;
+
+        if (!JS_DefineProperty(cx, obj, "node", wrapped,
                                JSPROP_ENUMERATE, nullptr, nullptr))
             return false;
 
         heaptools::EdgeName edgeName = Move(edges[i]);
 
         RootedString edgeStr(cx, NewString<CanGC>(cx, edgeName.get(), js_strlen(edgeName.get())));
         if (!edgeStr)
             return false;
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/self-test/findPath-bug1234428.js
@@ -0,0 +1,23 @@
+// 1. --ion-eager causes all functions to be compiled with IonMonkey before
+//    executing them.
+// 2. Registering the onIonCompilation hook on the Debugger causes
+//    the JSScript of the function C to be wrapped in the Debugger compartment.
+// 3. The JSScript hold a pointer to its function C.
+// 4. The function C, hold its environment.
+// 5. The environment holds the Object o.
+g = newGlobal();
+g.parent = this;
+g.eval(`
+  dbg = Debugger(parent);
+  dbg.onIonCompilation = function () {};
+`);
+
+function foo() {
+  eval(`
+    var o = {};
+    function C() {};
+    new C;
+    findPath(o, o);
+  `);
+}
+foo();