Bug 1518833: Handle cross-compartment wrapped TypedArray in @@toStringTag. r=jorendorff
authorAndré Bargull <andre.bargull@gmail.com>
Wed, 09 Jan 2019 08:45:57 -0800
changeset 510621 7a01aa85fc047341ee247db498d904ec4894d095
parent 510519 2a99e348fde3d1674296bb82c5f3881e696e8fb6
child 510622 27845cbdcac6f18002fd0d46021ba963487c6659
push id10547
push userffxbld-merge
push dateMon, 21 Jan 2019 13:03:58 +0000
treeherdermozilla-beta@24ec1916bffe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs1518833
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1518833: Handle cross-compartment wrapped TypedArray in @@toStringTag. r=jorendorff
js/src/builtin/TypedArray.js
js/src/tests/non262/TypedArray/toStringTag-cross-compartment.js
js/src/vm/SelfHosting.cpp
--- a/js/src/builtin/TypedArray.js
+++ b/js/src/builtin/TypedArray.js
@@ -1569,17 +1569,17 @@ function TypedArraySpecies() {
 _SetCanonicalName(TypedArraySpecies, "get [Symbol.species]");
 
 // ES 2017 draft June 2, 2016 22.2.3.32
 function TypedArrayToStringTag() {
     // Step 1.
     var O = this;
 
     // Steps 2-3.
-    if (!IsObject(O) || !IsTypedArray(O))
+    if (!IsObject(O) || !IsPossiblyWrappedTypedArray(O))
         return undefined;
 
     // Steps 4-6.
     // Modified to retrieve the [[TypedArrayName]] from the constructor.
     return _NameForTypedArray(O);
 }
 _SetCanonicalName(TypedArrayToStringTag, "get [Symbol.toStringTag]");
 
new file mode 100644
--- /dev/null
+++ b/js/src/tests/non262/TypedArray/toStringTag-cross-compartment.js
@@ -0,0 +1,12 @@
+const TypedArrayPrototype = Object.getPrototypeOf(Int8Array.prototype);
+const {get: toStringTag} = Object.getOwnPropertyDescriptor(TypedArrayPrototype, Symbol.toStringTag);
+
+const otherGlobal = newGlobal();
+
+for (let constructor of anyTypedArrayConstructors) {
+    let ta = new otherGlobal[constructor.name](0);
+    assertEq(toStringTag.call(ta), constructor.name);
+}
+
+if (typeof reportCompare === "function")
+    reportCompare(true, true);
--- a/js/src/vm/SelfHosting.cpp
+++ b/js/src/vm/SelfHosting.cpp
@@ -2135,18 +2135,20 @@ static bool intrinsic_ConstructorForType
 }
 
 static bool intrinsic_NameForTypedArray(JSContext* cx, unsigned argc,
                                         Value* vp) {
   CallArgs args = CallArgsFromVp(argc, vp);
   MOZ_ASSERT(args.length() == 1);
   MOZ_ASSERT(args[0].isObject());
 
-  RootedObject object(cx, &args[0].toObject());
-  MOZ_ASSERT(object->is<TypedArrayObject>());
+  auto* object = UnwrapAndDowncastValue<TypedArrayObject>(cx, args[0]);
+  if (!object) {
+    return false;
+  }
 
   JSProtoKey protoKey = StandardProtoKeyOrNull(object);
   MOZ_ASSERT(protoKey);
 
   args.rval().setString(ClassName(protoKey, cx));
   return true;
 }