Bug 1514263 - Enter the object's realm in UnboxedPlainObject::convertToNative. r=bhackett
authorJan de Mooij <jdemooij@mozilla.com>
Sun, 16 Dec 2018 14:14:41 +0000
changeset 507977 fea0ebc9d0ac863da4b05a40e8603e4f88d16136
parent 507976 e8de3ae7a7388326d46d21429b6223aabcc41edb
child 507978 091649f047ef457651862d20260a977b499c580e
push id10547
push userffxbld-merge
push dateMon, 21 Jan 2019 13:03:58 +0000
treeherdermozilla-beta@24ec1916bffe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs1514263
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1514263 - Enter the object's realm in UnboxedPlainObject::convertToNative. r=bhackett We were failing the realm assert in UnboxedLayout::makeNativeGroup in the browser. It's possible the assert is overzealous and we don't need the AutoRealm, but this makes it much easier to reason about the code. Differential Revision: https://phabricator.services.mozilla.com/D14693
js/src/jit-test/tests/realms/bug1514263.js
js/src/vm/UnboxedObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/realms/bug1514263.js
@@ -0,0 +1,16 @@
+function O(x) {
+    this.x = x;
+}
+
+var arr = [];
+for (var i = 0; i < 100; i++) {
+    arr.push(new O(i));
+}
+
+var g = newGlobal({sameCompartmentAs: this});
+g.trigger = function(arr) {
+    var obj = arr[90];
+    this.Object.create(obj);
+    assertEq(objectGlobal(obj), objectGlobal(arr));
+};
+g.trigger(arr);
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@@ -743,16 +743,20 @@ static PlainObject* MakeReplacementTempl
   // This function returns the original object (instead of bool) to make sure
   // Ion's LConvertUnboxedObjectToNative works correctly. If we return bool
   // and use defineReuseInput, the object register is not preserved across the
   // call.
 
   const UnboxedLayout& layout = obj->as<UnboxedPlainObject>().layout();
   UnboxedExpandoObject* expando = obj->as<UnboxedPlainObject>().maybeExpando();
 
+  // Ensure we're working in the object's realm, so we don't have to worry about
+  // creating groups or templates in the wrong realm.
+  AutoRealm ar(cx, obj);
+
   if (!layout.nativeGroup()) {
     if (!UnboxedLayout::makeNativeGroup(cx, obj->group())) {
       return nullptr;
     }
 
     // makeNativeGroup can reentrantly invoke this method.
     if (obj->is<PlainObject>()) {
       return &obj->as<PlainObject>();