Bug 1367815 - Add assertions to prevent proxies other than cross compartment wrappers from having cross compartment targets r=sfink
authorJon Coppeard <jcoppeard@mozilla.com>
Fri, 02 Jun 2017 10:32:37 +0100
changeset 410128 9e5ac6fa7858a4c399dd482090b29723c5a991d7
parent 410127 06634ddc1a18ca945492a6317f548a8be21dff7b
child 410129 98b894115e896c9e96b95edc8470fb0c645713b9
push id7391
push usermtabara@mozilla.com
push dateMon, 12 Jun 2017 13:08:53 +0000
treeherdermozilla-beta@2191d7f87e2e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1367815
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1367815 - Add assertions to prevent proxies other than cross compartment wrappers from having cross compartment targets r=sfink
js/src/gc/Marking.cpp
js/src/vm/ProxyObject.cpp
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@@ -2606,16 +2606,18 @@ GCMarker::stackContainsCrossZonePointerT
         Zone* sourceZone = source->zone();
         if (sourceZone == targetZone)
             continue;
 
         // The private slot of proxy objects might contain a cross-compartment
         // pointer.
         if (source->is<ProxyObject>()) {
             Value value = source->as<ProxyObject>().private_();
+            MOZ_ASSERT_IF(!IsCrossCompartmentWrapper(source),
+                          IsObjectValueInCompartment(value, source->compartment()));
             if (value.isObject() && &value.toObject() == target)
                 return sourceZone;
         }
 
         if (Debugger::isDebuggerCrossCompartmentEdge(source, target))
             return sourceZone;
     }
 
--- a/js/src/vm/ProxyObject.cpp
+++ b/js/src/vm/ProxyObject.cpp
@@ -87,17 +87,20 @@ ProxyObject::New(JSContext* cx, const Ba
     JS_TRY_VAR_OR_RETURN_NULL(cx, proxy, create(cx, clasp, proto, allocKind, newKind));
 
     proxy->setInlineValueArray();
 
     detail::ProxyValueArray* values = detail::GetProxyDataLayout(proxy)->values();
     values->init(proxy->numReservedSlots());
 
     proxy->data.handler = handler;
-    proxy->setCrossCompartmentPrivate(priv);
+    if (IsCrossCompartmentWrapper(proxy))
+        proxy->setCrossCompartmentPrivate(priv);
+    else
+        proxy->setSameCompartmentPrivate(priv);
 
     /* Don't track types of properties of non-DOM and non-singleton proxies. */
     if (newKind != SingletonObject && !clasp->isDOMClass())
         MarkObjectGroupUnknownProperties(cx, proxy->group());
 
     return proxy;
 }