Bug 1302037 - Don't allow SAB in transfer map. r=shu a=gchang
authorLars T Hansen <lhansen@mozilla.com>
Fri, 10 Feb 2017 10:02:18 +0100
changeset 378481 44312adc8981985224f4022340633cfe68fcf30e
parent 378480 28886b4c135760a6d8aedf7ab7ec8cae5a0c5821
child 378482 aafe44390b1bf8c81acc4b07faeedf43340c5938
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersshu, gchang
bugs1302037
milestone53.0a2
Bug 1302037 - Don't allow SAB in transfer map. r=shu a=gchang
js/public/StructuredClone.h
js/src/js.msg
js/src/tests/js1_8_5/extensions/sharedtypedarray.js
js/src/vm/StructuredClone.cpp
--- a/js/public/StructuredClone.h
+++ b/js/public/StructuredClone.h
@@ -322,16 +322,17 @@ class JS_PUBLIC_API(JSAutoStructuredClon
 // The range of tag values the application may use for its own custom object types.
 #define JS_SCTAG_USER_MIN  ((uint32_t) 0xFFFF8000)
 #define JS_SCTAG_USER_MAX  ((uint32_t) 0xFFFFFFFF)
 
 #define JS_SCERR_RECURSION 0
 #define JS_SCERR_TRANSFERABLE 1
 #define JS_SCERR_DUP_TRANSFERABLE 2
 #define JS_SCERR_UNSUPPORTED_TYPE 3
+#define JS_SCERR_SAB_TRANSFERABLE 4
 
 JS_PUBLIC_API(bool)
 JS_ReadUint32Pair(JSStructuredCloneReader* r, uint32_t* p1, uint32_t* p2);
 
 JS_PUBLIC_API(bool)
 JS_ReadBytes(JSStructuredCloneReader* r, void* p, size_t len);
 
 JS_PUBLIC_API(bool)
--- a/js/src/js.msg
+++ b/js/src/js.msg
@@ -422,17 +422,17 @@ MSG_DEF(JSMSG_BAD_TRAP,                1
 
 // Structured cloning
 MSG_DEF(JSMSG_SC_BAD_CLONE_VERSION,    0, JSEXN_ERR, "unsupported structured clone version")
 MSG_DEF(JSMSG_SC_BAD_SERIALIZED_DATA,  1, JSEXN_INTERNALERR, "bad serialized structured data ({0})")
 MSG_DEF(JSMSG_SC_DUP_TRANSFERABLE,     0, JSEXN_TYPEERR, "duplicate transferable for structured clone")
 MSG_DEF(JSMSG_SC_NOT_TRANSFERABLE,     0, JSEXN_TYPEERR, "invalid transferable array for structured clone")
 MSG_DEF(JSMSG_SC_UNSUPPORTED_TYPE,     0, JSEXN_TYPEERR, "unsupported type for structured data")
 MSG_DEF(JSMSG_SC_NOT_CLONABLE,         1, JSEXN_TYPEERR, "{0} cannot be cloned in this context")
-MSG_DEF(JSMSG_SC_SAB_TRANSFER,         0, JSEXN_WARN, "SharedArrayBuffer must not be in the transfer list")
+MSG_DEF(JSMSG_SC_SAB_TRANSFERABLE,     0, JSEXN_TYPEERR, "SharedArrayBuffer must not be in the transfer list")
 MSG_DEF(JSMSG_SC_SAB_DISABLED,         0, JSEXN_TYPEERR, "SharedArrayBuffer not cloned - shared memory disabled in receiver")
 
 // Debugger
 MSG_DEF(JSMSG_ASSIGN_FUNCTION_OR_NULL, 1, JSEXN_TYPEERR, "value assigned to {0} must be a function or null")
 MSG_DEF(JSMSG_DEBUG_BAD_AWAIT,         0, JSEXN_TYPEERR, "await expression received invalid value")
 MSG_DEF(JSMSG_DEBUG_BAD_LINE,          0, JSEXN_TYPEERR, "invalid line number")
 MSG_DEF(JSMSG_DEBUG_BAD_OFFSET,        0, JSEXN_TYPEERR, "invalid script offset")
 MSG_DEF(JSMSG_DEBUG_BAD_REFERENT,      2, JSEXN_TYPEERR, "{0} does not refer to {1}")
--- a/js/src/tests/js1_8_5/extensions/sharedtypedarray.js
+++ b/js/src/tests/js1_8_5/extensions/sharedtypedarray.js
@@ -202,25 +202,22 @@ function testNoClone() {
 
     // This tests the actual cloning functionality - should fail
     assertThrowsInstanceOf(() => serialize(b, [], {SharedArrayBuffer: 'deny'}), TypeError);
 
     // Ditto - should succeed
     assertEq(typeof serialize(b, [], {SharedArrayBuffer: 'allow'}), "object");
 }
 
-// Eventually, this will be prohibited, but for now, allow the SAB to
-// appear in the transfer list.  See bug 1302036 and bug 1302037.
-
 function testRedundantTransfer() {
-    var sab1 = b;
-    var blob = serialize(sab1, [sab1]);
-    var sab2 = deserialize(blob);
-    if (typeof sharedAddress != "undefined")
-	assertEq(sharedAddress(sab1), sharedAddress(sab2));
+    // Throws TypeError in the shell, DataCloneError in the browser.
+    assertThrowsInstanceOf(() => {
+	var sab1 = b;
+	var blob = serialize(sab1, [sab1]);
+    }, TypeError);
 }
 
 function testApplicable() {
     var sab = b;
     var x;
 
     // Just make sure we can create all the view types on shared memory.
 
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -518,16 +518,20 @@ ReportDataCloneError(JSContext* cx,
       case JS_SCERR_TRANSFERABLE:
         JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_SC_NOT_TRANSFERABLE);
         break;
 
       case JS_SCERR_UNSUPPORTED_TYPE:
         JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_SC_UNSUPPORTED_TYPE);
         break;
 
+      case JS_SCERR_SAB_TRANSFERABLE:
+        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_SC_SAB_TRANSFERABLE);
+        break;
+
       default:
         MOZ_CRASH("Unkown errorId");
         break;
     }
 }
 
 bool
 WriteStructuredClone(JSContext* cx, HandleValue v, JSStructuredCloneData* bufp,
@@ -1003,23 +1007,18 @@ JSStructuredCloneWriter::parseTransferab
 
         if (!JS_GetElement(cx, array, i, &v))
             return false;
 
         if (!v.isObject())
             return reportDataCloneError(JS_SCERR_TRANSFERABLE);
         tObj = &v.toObject();
 
-        // Backward compatibility, see bug 1302036 and bug 1302037.
-        if (tObj->is<SharedArrayBufferObject>()) {
-            if (!JS_ReportErrorFlagsAndNumberASCII(cx, JSREPORT_WARNING, GetErrorMessage,
-                                                   nullptr, JSMSG_SC_SAB_TRANSFER))
-                return false;
-            continue;
-        }
+        if (tObj->is<SharedArrayBufferObject>())
+            return reportDataCloneError(JS_SCERR_SAB_TRANSFERABLE);
 
         // No duplicates allowed
         auto p = transferableObjects.lookupForAdd(tObj);
         if (p)
             return reportDataCloneError(JS_SCERR_DUP_TRANSFERABLE);
 
         if (!transferableObjects.add(p, tObj))
             return false;