Bug 1288555 - Fix structured cloning. r=Waldo, a=ritu
authorSteve Fink <sfink@mozilla.com>
Thu, 21 Jul 2016 13:06:27 -0700
changeset 340347 6cfff98fe1a07527db71b5e83a5ed79b8ee29de5
parent 340346 50aa7f83a669ca388d0608857093d1eee6d35e4e
child 340348 2f0d41e6e82f7bb861e312310f75c5a628412f5b
push id6312
push userryanvm@gmail.com
push dateWed, 17 Aug 2016 22:46:23 +0000
treeherdermozilla-beta@c44faf03e1b4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersWaldo, ritu
bugs1288555
milestone49.0
Bug 1288555 - Fix structured cloning. r=Waldo, a=ritu
js/src/vm/ArrayBufferObject.cpp
js/src/vm/StructuredClone.cpp
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -259,16 +259,18 @@ NoteViewBufferWasDetached(ArrayBufferVie
     // Notify compiled jit code that the base pointer has moved.
     MarkObjectStateChange(cx, view);
 }
 
 /* static */ bool
 ArrayBufferObject::detach(JSContext* cx, Handle<ArrayBufferObject*> buffer,
                           BufferContents newContents)
 {
+    assertSameCompartment(cx, buffer);
+
     if (buffer->isWasm()) {
         JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_OUT_OF_MEMORY);
         return false;
     }
 
     // When detaching buffers where we don't know all views, the new data must
     // match the old data. All missing views are typed objects, which do not
     // expect their data to ever change.
@@ -721,16 +723,17 @@ ArrayBufferObject::createDataViewForThis
     return CallNonGenericMethod<IsArrayBuffer, createDataViewForThisImpl>(cx, args);
 }
 
 /* static */ ArrayBufferObject::BufferContents
 ArrayBufferObject::stealContents(JSContext* cx, Handle<ArrayBufferObject*> buffer,
                                  bool hasStealableContents)
 {
     MOZ_ASSERT_IF(hasStealableContents, buffer->hasStealableContents());
+    assertSameCompartment(cx, buffer);
 
     BufferContents oldContents(buffer->dataPointer(), buffer->bufferKind());
     BufferContents newContents = AllocateArrayBufferContents(cx, buffer->byteLength());
     if (!newContents)
         return BufferContents::createPlain(nullptr);
 
     if (hasStealableContents) {
         // Return the old contents and give the detached buffer a pointer to
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -1328,16 +1328,17 @@ JSStructuredCloneWriter::transferOwnersh
         ESClassValue cls;
         if (!GetBuiltinClass(context(), obj, &cls))
             return false;
 
         if (cls == ESClass_ArrayBuffer) {
             // The current setup of the array buffer inheritance hierarchy doesn't
             // lend itself well to generic manipulation via proxies.
             Rooted<ArrayBufferObject*> arrayBuffer(context(), &CheckedUnwrap(obj)->as<ArrayBufferObject>());
+            JSAutoCompartment ac(context(), arrayBuffer);
             size_t nbytes = arrayBuffer->byteLength();
 
             // Structured cloning currently only has optimizations for mapped
             // and malloc'd buffers, not asm.js-ified buffers.
             bool hasStealableContents = arrayBuffer->hasStealableContents() &&
                                         (arrayBuffer->isMapped() || arrayBuffer->hasMallocedContents());
 
             ArrayBufferObject::BufferContents bufContents =