Backed out changeset 6b7d7b8605ea (bug 1433642)
authorSteve Fink <sfink@mozilla.com>
Tue, 24 Apr 2018 16:01:56 -0700
changeset 469029 0bea67efaa0a746dc54229ad5475cf73bb5356d6
parent 469028 85a77aec89fbf269c6b39fcb037233359665656e
child 469030 d7be222e99c633f30137e37b8f72742caa715011
push id9165
push userasasaki@mozilla.com
push dateThu, 26 Apr 2018 21:04:54 +0000
treeherdermozilla-beta@064c3804de2e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1433642
milestone61.0a1
backs out6b7d7b8605ea2240498f01eab16c0940f6e0cc30
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset 6b7d7b8605ea (bug 1433642)
js/public/StructuredClone.h
js/src/builtin/TestingFunctions.cpp
--- a/js/public/StructuredClone.h
+++ b/js/public/StructuredClone.h
@@ -466,21 +466,16 @@ class MOZ_NON_MEMMOVABLE JS_PUBLIC_API(J
             return AppendBytes(data, size);
         });
     }
 
     size_t SizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) {
         return bufList_.SizeOfExcludingThis(mallocSizeOf);
     }
 
-    // Temporary until the scope is moved into JSStructuredCloneData.
-    void IgnoreTransferables() {
-        ownTransferables_ = OwnTransferablePolicy::IgnoreTransferablesIfAny;
-    }
-
     void discardTransferables();
 };
 
 /**
  * Implements StructuredDeserialize and StructuredDeserializeWithTransfer.
  *
  * Note: If `data` contains transferable objects, it can be read only once.
  */
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -2737,33 +2737,33 @@ static bool
 SetIonCheckGraphCoherency(JSContext* cx, unsigned argc, Value* vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     jit::JitOptions.checkGraphConsistency = ToBoolean(args.get(0));
     args.rval().setUndefined();
     return true;
 }
 
-// A JSObject that holds structured clone data, similar to the C++ class
-// JSAutoStructuredCloneBuffer.
 class CloneBufferObject : public NativeObject {
     static const JSPropertySpec props_[3];
 
     static const size_t DATA_SLOT = 0;
-    static const size_t SYNTHETIC_SLOT = 1;
-    static const size_t NUM_SLOTS = 2;
+    static const size_t LENGTH_SLOT = 1;
+    static const size_t SYNTHETIC_SLOT = 2;
+    static const size_t NUM_SLOTS = 3;
 
   public:
     static const Class class_;
 
     static CloneBufferObject* Create(JSContext* cx) {
         RootedObject obj(cx, JS_NewObject(cx, Jsvalify(&class_)));
         if (!obj)
             return nullptr;
         obj->as<CloneBufferObject>().setReservedSlot(DATA_SLOT, PrivateValue(nullptr));
+        obj->as<CloneBufferObject>().setReservedSlot(LENGTH_SLOT, Int32Value(0));
         obj->as<CloneBufferObject>().setReservedSlot(SYNTHETIC_SLOT, BooleanValue(false));
 
         if (!JS_DefineProperties(cx, obj, props_))
             return nullptr;
 
         return &obj->as<CloneBufferObject>();
     }
 
@@ -2788,25 +2788,24 @@ class CloneBufferObject : public NativeO
     bool isSynthetic() const {
         return getReservedSlot(SYNTHETIC_SLOT).toBoolean();
     }
 
     void setData(JSStructuredCloneData* aData, bool synthetic) {
         MOZ_ASSERT(!data());
         setReservedSlot(DATA_SLOT, PrivateValue(aData));
         setReservedSlot(SYNTHETIC_SLOT, BooleanValue(synthetic));
-
-        // Temporary until the scope is moved into JSStructuredCloneData.
-        if (synthetic)
-            aData->IgnoreTransferables();
     }
 
     // Discard an owned clone buffer.
     void discard() {
-        js_delete(data());
+        if (data()) {
+            JSAutoStructuredCloneBuffer clonebuf(JS::StructuredCloneScope::SameProcessSameThread, nullptr, nullptr);
+            clonebuf.adopt(Move(*data()));
+        }
         setReservedSlot(DATA_SLOT, PrivateValue(nullptr));
     }
 
     static bool
     setCloneBuffer_impl(JSContext* cx, const CallArgs& args) {
         Rooted<CloneBufferObject*> obj(cx, &args.thisv().toObject().as<CloneBufferObject>());
 
         uint8_t* data = nullptr;
@@ -3079,49 +3078,46 @@ Deserialize(JSContext* cx, unsigned argc
             if (!str)
                 return false;
             auto maybeScope = ParseCloneScope(cx, str);
             if (!maybeScope) {
                 JS_ReportErrorASCII(cx, "Invalid structured clone scope");
                 return false;
             }
 
-            if (fuzzingSafe && *maybeScope < scope) {
-                JS_ReportErrorASCII(cx, "Fuzzing builds must not set less restrictive scope "
-                                    "than the deserialized clone buffer's scope");
-                return false;
-            }
-
             scope = *maybeScope;
         }
     }
 
     // Clone buffer was already consumed?
     if (!obj->data()) {
         JS_ReportErrorASCII(cx, "deserialize given invalid clone buffer "
                             "(transferables already consumed?)");
         return false;
     }
 
     bool hasTransferable;
     if (!JS_StructuredCloneHasTransferables(*obj->data(), &hasTransferable))
         return false;
 
+    if (obj->isSynthetic() && scope != JS::StructuredCloneScope::DifferentProcess) {
+        JS_ReportErrorASCII(cx, "clone buffer data is synthetic but may contain pointers");
+        return false;
+    }
+
     RootedValue deserialized(cx);
     if (!JS_ReadStructuredClone(cx, *obj->data(),
                                 JS_STRUCTURED_CLONE_VERSION,
                                 scope,
                                 &deserialized, nullptr, nullptr))
     {
         return false;
     }
     args.rval().set(deserialized);
 
-    // Consume any clone buffer with transferables; throw an error if it is
-    // deserialized again.
     if (hasTransferable)
         obj->discard();
 
     return true;
 }
 
 static bool
 DetachArrayBuffer(JSContext* cx, unsigned argc, Value* vp)