Bug 1525905 - Require both arguments to JS_TransplantObject to be non-gray r=sfink r=bz
authorJon Coppeard <jcoppeard@mozilla.com>
Sat, 09 Feb 2019 07:30:08 +0000
changeset 516286 3cf706639eda1303f57ce7c9105b69ad857b8172
parent 516285 2b27038adbe4e8d973019b070cf576babcc149d4
child 516287 6a082aaab830dacca68c8632f0a0053991618a28
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink, bz
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1525905 - Require both arguments to JS_TransplantObject to be non-gray r=sfink r=bz
--- a/dom/base/nsGlobalWindowOuter.cpp
+++ b/dom/base/nsGlobalWindowOuter.cpp
@@ -2075,17 +2075,17 @@ nsresult nsGlobalWindowOuter::SetNewDocu
       JS::Rooted<JSObject*> outerObject(
           cx, NewOuterWindowProxy(cx, newInnerGlobal, thisChrome));
       if (!outerObject) {
         NS_ERROR("out of memory");
         return NS_ERROR_FAILURE;
-      JS::Rooted<JSObject*> obj(cx, GetWrapperPreserveColor());
+      JS::Rooted<JSObject*> obj(cx, GetWrapper());
       js::SetProxyReservedSlot(obj, OUTER_WINDOW_SLOT,
       js::SetProxyReservedSlot(outerObject, OUTER_WINDOW_SLOT,
       js::SetProxyReservedSlot(obj, HOLDER_WEAKMAP_SLOT, JS::UndefinedValue());
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -680,16 +680,17 @@ static void ReleaseAssertObjectHasNoWrap
 JS_PUBLIC_API JSObject* JS_TransplantObject(JSContext* cx, HandleObject origobj,
                                             HandleObject target) {
   MOZ_ASSERT(origobj != target);
   MOZ_ASSERT(origobj->getClass() == target->getClass());
   ReleaseAssertObjectHasNoWrappers(cx, target);
+  JS::AssertCellIsNotGray(origobj);
   RootedValue origv(cx, ObjectValue(*origobj));
   RootedObject newIdentity(cx);
   // Don't allow a compacting GC to observe any intermediate state.
   AutoDisableCompactingGC nocgc(cx);
@@ -697,23 +698,19 @@ JS_PUBLIC_API JSObject* JS_TransplantObj
   JS::Compartment* destination = target->compartment();
   if (origobj->compartment() == destination) {
     // If the original object is in the same compartment as the
     // destination, then we know that we won't find a wrapper in the
     // destination's cross compartment map and that the same
     // object will continue to work.
-    AutoRealmUnchecked ar(cx, origobj->nonCCWRealm());
+    AutoRealm ar(cx, origobj);
     JSObject::swap(cx, origobj, target);
     newIdentity = origobj;
-    // |origobj| might be gray so unmark it to avoid returning a possibly-gray
-    // object.
-    JS::ExposeObjectToActiveJS(newIdentity);
   } else if (WrapperMap::Ptr p = destination->lookupWrapper(origv)) {
     // There might already be a wrapper for the original object in
     // the new compartment. If there is, we use its identity and swap
     // in the contents of |target|.
     newIdentity = &p->value().get().toObject();
     // When we remove origv from the wrapper map, its wrapper, newIdentity,
     // must immediately cease to be a cross-compartment wrapper. Nuke it.
@@ -734,17 +731,17 @@ JS_PUBLIC_API JSObject* JS_TransplantObj
   // cached wrapper state.
   if (!RemapAllWrappersForObject(cx, origobj, newIdentity)) {
   // Lastly, update the original object to point to the new one.
   if (origobj->compartment() != destination) {
     RootedObject newIdentityWrapper(cx, newIdentity);
-    AutoRealmUnchecked ar(cx, origobj->nonCCWRealm());
+    AutoRealm ar(cx, origobj);
     if (!JS_WrapObject(cx, &newIdentityWrapper)) {
     MOZ_ASSERT(Wrapper::wrappedObject(newIdentityWrapper) == newIdentity);
     JSObject::swap(cx, origobj, newIdentityWrapper);
     if (!origobj->compartment()->putWrapper(
             cx, CrossCompartmentKey(newIdentity), origv)) {