Bug 1521717 - Unmark original object if we are going to return it from JS_TransplantObject r=sfink
authorJon Coppeard <jcoppeard@mozilla.com>
Thu, 24 Jan 2019 12:34:55 +0000
changeset 515305 2ab90d1a0e614223e6be7ee0bdfe76cf7bd9a166
parent 515304 c8e4a4cd94feb5e5cd7e9e9ae9e628a65eb46e35
child 515306 a68a2da104f324b649563af809965d87e8db7791
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1521717
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1521717 - Unmark original object if we are going to return it from JS_TransplantObject r=sfink
js/src/jsapi.cpp
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -699,16 +699,20 @@ JS_PUBLIC_API JSObject* JS_TransplantObj
   if (origobj->compartment() == destination) {
     // If the original object is in the same compartment as the
     // destination, then we know that we won't find a wrapper in the
     // destination's cross compartment map and that the same
     // object will continue to work.
     AutoRealmUnchecked ar(cx, origobj->nonCCWRealm());
     JSObject::swap(cx, origobj, target);
     newIdentity = origobj;
+
+    // |origobj| might be gray so unmark it to avoid returning a possibly-gray
+    // object.
+    JS::ExposeObjectToActiveJS(newIdentity);
   } else if (WrapperMap::Ptr p = destination->lookupWrapper(origv)) {
     // There might already be a wrapper for the original object in
     // the new compartment. If there is, we use its identity and swap
     // in the contents of |target|.
     newIdentity = &p->value().get().toObject();
 
     // When we remove origv from the wrapper map, its wrapper, newIdentity,
     // must immediately cease to be a cross-compartment wrapper. Nuke it.