Bug 1524707 - Ensure we're in the global's realm in GlobalObject::resolveConstructor. r=jorendorff a=lizzard
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 06 Feb 2019 07:55:50 +0000
changeset 515895 3e57fe219beb57862951db5c6ab6f109b23db212
parent 515894 1d59770b712bbfb4b140c1ac8e179601871f8b94
child 515896 8b1e6095f35500a4a5d7b9e20ce14e3014f4db17
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff, lizzard
bugs1524707
milestone66.0
Bug 1524707 - Ensure we're in the global's realm in GlobalObject::resolveConstructor. r=jorendorff a=lizzard In js::SetPrototype we call GlobalObject::ensureConstructor. I think this is only a problem for evalcx because other globals have an immutable prototype chain. Differential Revision: https://phabricator.services.mozilla.com/D18562
js/src/jit-test/tests/realms/basic.js
js/src/vm/GlobalObject.cpp
--- a/js/src/jit-test/tests/realms/basic.js
+++ b/js/src/jit-test/tests/realms/basic.js
@@ -89,10 +89,15 @@ function testEvalcx() {
     try {
         sb = g.eval("evalcx('')");
     } catch(e) {
         ex = e;
     }
     // Check for either an exception or CCW (with --more-compartments).
     assertEq((sb && objectGlobal(sb) === null) ||
              ex.toString().includes("visibility"), true);
+
+    // Bug 1524707.
+    var lazysb = evalcx("lazy");
+    Object.setPrototypeOf(lazysb, Math);
+    assertEq(lazysb.__proto__, Math);
 }
 testEvalcx();
--- a/js/src/vm/GlobalObject.cpp
+++ b/js/src/vm/GlobalObject.cpp
@@ -119,16 +119,21 @@ TypedObjectModuleObject& js::GlobalObjec
 }
 
 /* static*/ bool GlobalObject::resolveConstructor(JSContext* cx,
                                                   Handle<GlobalObject*> global,
                                                   JSProtoKey key,
                                                   IfClassIsDisabled mode) {
   MOZ_ASSERT(key != JSProto_Null);
   MOZ_ASSERT(!global->isStandardClassResolved(key));
+  MOZ_ASSERT(cx->compartment() == global->compartment());
+
+  // |global| must be same-compartment but make sure we're in its realm: the
+  // code below relies on this.
+  AutoRealm ar(cx, global);
 
   if (global->zone()->createdForHelperThread()) {
     return resolveOffThreadConstructor(cx, global, key);
   }
 
   MOZ_ASSERT(!cx->helperThread());
 
   // Prohibit collection of allocation metadata. Metadata builders shouldn't