Bug 1452571 - Baldr: fix IsBufferSource on DataView and prevent shell-only rooting bug (r=anba)
authorLuke Wagner <luke@mozilla.com>
Thu, 19 Apr 2018 14:28:01 +0200
changeset 468287 907f224f35c0092b5f4330cd7ba63277df918b23
parent 468286 3d0c62242c483a022e08a262794b071dea58376d
child 468288 9c339f571d35c008c5b19d8583f01e2ecc8a5cb0
push id9165
push userasasaki@mozilla.com
push dateThu, 26 Apr 2018 21:04:54 +0000
treeherdermozilla-beta@064c3804de2e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba
bugs1452571
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1452571 - Baldr: fix IsBufferSource on DataView and prevent shell-only rooting bug (r=anba)
js/src/shell/js.cpp
js/src/vm/TypedArrayObject.cpp
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -5805,23 +5805,16 @@ EnsureLatin1CharsLinearString(JSContext*
     result.set(&str->asLinear());
     MOZ_ASSERT(result->hasLatin1Chars());
     return true;
 }
 
 static bool
 ConsumeBufferSource(JSContext* cx, JS::HandleObject obj, JS::MimeType, JS::StreamConsumer* consumer)
 {
-    SharedMem<uint8_t*> dataPointer;
-    size_t byteLength;
-    if (!IsBufferSource(obj, &dataPointer, &byteLength)) {
-        JS_ReportErrorASCII(cx, "shell streaming consumes a buffer source (buffer or view)");
-        return false;
-    }
-
     {
         RootedValue url(cx);
         if (!JS_GetProperty(cx, obj, "url", &url))
             return false;
         RootedLinearString urlStr(cx);
         if (!EnsureLatin1CharsLinearString(cx, url, &urlStr))
             return false;
 
@@ -5836,16 +5829,23 @@ ConsumeBufferSource(JSContext* cx, JS::H
         consumer->noteResponseURLs(urlStr
                                    ? reinterpret_cast<const char*>(urlStr->latin1Chars(nogc))
                                    : nullptr,
                                    mapUrlStr
                                    ? reinterpret_cast<const char*>(mapUrlStr->latin1Chars(nogc))
                                    : nullptr);
     }
 
+    SharedMem<uint8_t*> dataPointer;
+    size_t byteLength;
+    if (!IsBufferSource(obj, &dataPointer, &byteLength)) {
+        JS_ReportErrorASCII(cx, "shell streaming consumes a buffer source (buffer or view)");
+        return false;
+    }
+
     auto job = cx->make_unique<BufferStreamJob>(consumer);
     if (!job || !job->bytes.resize(byteLength))
         return false;
 
     memcpy(job->bytes.begin(), dataPointer.unwrap(), byteLength);
 
     BufferStreamJob* jobPtr = job.get();
 
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -2135,16 +2135,17 @@ js::IsBufferSource(JSObject* object, Sha
         *byteLength = view.byteLength();
         return true;
     }
 
     if (object->is<DataViewObject>()) {
         DataViewObject& view = object->as<DataViewObject>();
         *dataPointer = view.dataPointerEither().cast<uint8_t*>();
         *byteLength = view.byteLength();
+        return true;
     }
 
     if (object->is<ArrayBufferObject>()) {
         ArrayBufferObject& buffer = object->as<ArrayBufferObject>();
         *dataPointer = buffer.dataPointerShared();
         *byteLength = buffer.byteLength();
         return true;
     }