Bug 1288555 - Fix structured cloning. r=Waldo, a=ritu
authorSteve Fink <sfink@mozilla.com>
Thu, 21 Jul 2016 13:06:27 -0700
changeset 332751 8ececbd9880dc48a879d7a0d44dbf5e15248b09c
parent 332750 d927ac40c9a6803c3338e5388d8222cada59a76f
child 332752 5203cfbd484a98acb1b68c8082195e51735cf0ff
push id9913
push userryanvm@gmail.com
push dateWed, 17 Aug 2016 22:15:07 +0000
treeherdermozilla-aurora@8ececbd9880d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersWaldo, ritu
bugs1288555
milestone50.0a2
Bug 1288555 - Fix structured cloning. r=Waldo, a=ritu
js/src/vm/ArrayBufferObject.cpp
js/src/vm/StructuredClone.cpp
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -259,16 +259,18 @@ NoteViewBufferWasDetached(ArrayBufferVie
     // Notify compiled jit code that the base pointer has moved.
     MarkObjectStateChange(cx, view);
 }
 
 /* static */ bool
 ArrayBufferObject::detach(JSContext* cx, Handle<ArrayBufferObject*> buffer,
                           BufferContents newContents)
 {
+    assertSameCompartment(cx, buffer);
+
     if (buffer->isWasm()) {
         JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_OUT_OF_MEMORY);
         return false;
     }
 
     // When detaching buffers where we don't know all views, the new data must
     // match the old data. All missing views are typed objects, which do not
     // expect their data to ever change.
@@ -727,16 +729,17 @@ ArrayBufferObject::createDataViewForThis
     return CallNonGenericMethod<IsArrayBuffer, createDataViewForThisImpl>(cx, args);
 }
 
 /* static */ ArrayBufferObject::BufferContents
 ArrayBufferObject::stealContents(JSContext* cx, Handle<ArrayBufferObject*> buffer,
                                  bool hasStealableContents)
 {
     MOZ_ASSERT_IF(hasStealableContents, buffer->hasStealableContents());
+    assertSameCompartment(cx, buffer);
 
     BufferContents oldContents(buffer->dataPointer(), buffer->bufferKind());
     BufferContents newContents = AllocateArrayBufferContents(cx, buffer->byteLength());
     if (!newContents)
         return BufferContents::createPlain(nullptr);
 
     if (hasStealableContents) {
         // Return the old contents and give the detached buffer a pointer to
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -1330,16 +1330,17 @@ JSStructuredCloneWriter::transferOwnersh
         ESClass cls;
         if (!GetBuiltinClass(context(), obj, &cls))
             return false;
 
         if (cls == ESClass::ArrayBuffer) {
             // The current setup of the array buffer inheritance hierarchy doesn't
             // lend itself well to generic manipulation via proxies.
             Rooted<ArrayBufferObject*> arrayBuffer(context(), &CheckedUnwrap(obj)->as<ArrayBufferObject>());
+            JSAutoCompartment ac(context(), arrayBuffer);
             size_t nbytes = arrayBuffer->byteLength();
 
             // Structured cloning currently only has optimizations for mapped
             // and malloc'd buffers, not asm.js-ified buffers.
             bool hasStealableContents = arrayBuffer->hasStealableContents() &&
                                         (arrayBuffer->isMapped() || arrayBuffer->hasMallocedContents());
 
             ArrayBufferObject::BufferContents bufContents =