Bug 1456858 - structured clone comment fixups, r=jorendorff
authorSteve Fink <sfink@mozilla.com>
Wed, 25 Apr 2018 12:15:51 -0700
changeset 472501 6529717260a226e15e02da023bfced594a763204
parent 472500 3ee25bda924ea97cbda2d8602ede83b30c61eb19
child 472502 7b6f6fcaaa177324d1827f9be431e23e9e0573ad
push id1728
push userjlund@mozilla.com
push dateMon, 18 Jun 2018 21:12:27 +0000
treeherdermozilla-release@c296fde26f5f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs1456858
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1456858 - structured clone comment fixups, r=jorendorff
js/public/StructuredClone.h
js/src/builtin/TestingFunctions.cpp
--- a/js/public/StructuredClone.h
+++ b/js/public/StructuredClone.h
@@ -310,18 +310,36 @@ struct JSStructuredCloneCallbacks {
     StructuredCloneErrorOp reportError;
     ReadTransferStructuredCloneOp readTransfer;
     TransferStructuredCloneOp writeTransfer;
     FreeTransferStructuredCloneOp freeTransfer;
     CanTransferStructuredCloneOp canTransfer;
 };
 
 enum OwnTransferablePolicy {
+    /**
+     * The buffer owns any Transferables that it might contain, and should
+     * properly release them upon destruction.
+     */
     OwnsTransferablesIfAny,
+
+    /**
+     * Do not free any Transferables within this buffer when deleting it. This
+     * is used to mark as clone buffer as containing data from another process,
+     * and so it can't legitimately contain pointers. If the buffer claims to
+     * have transferables, it's a bug or an attack. This is also used for
+     * abandon(), where a buffer still contains raw data but the ownership has
+     * been given over to some other entity.
+     */
     IgnoreTransferablesIfAny,
+
+    /**
+     * A buffer that cannot contain Transferables at all. This usually means
+     * the buffer is empty (not yet filled in, or having been cleared).
+     */
     NoTransferables
 };
 
 namespace js
 {
     class SharedArrayRawBuffer;
 
     class SharedArrayRawBufferRefs
@@ -466,17 +484,17 @@ class MOZ_NON_MEMMOVABLE JS_PUBLIC_API(J
             return AppendBytes(data, size);
         });
     }
 
     size_t SizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) {
         return bufList_.SizeOfExcludingThis(mallocSizeOf);
     }
 
-    // Temporary until the scope is moved into JSStructuredCloneData.
+    // For testing only.
     void IgnoreTransferables() {
         ownTransferables_ = OwnTransferablePolicy::IgnoreTransferablesIfAny;
     }
 
     void discardTransferables();
 };
 
 /**
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -2797,17 +2797,18 @@ class CloneBufferObject : public NativeO
         return getReservedSlot(SYNTHETIC_SLOT).toBoolean();
     }
 
     void setData(JSStructuredCloneData* aData, bool synthetic) {
         MOZ_ASSERT(!data());
         setReservedSlot(DATA_SLOT, PrivateValue(aData));
         setReservedSlot(SYNTHETIC_SLOT, BooleanValue(synthetic));
 
-        // Temporary until the scope is moved into JSStructuredCloneData.
+        // For testing only, and will be unnecessary once the scope is moved
+        // into JSStructuredCloneData.
         if (synthetic)
             aData->IgnoreTransferables();
     }
 
     // Discard an owned clone buffer.
     void discard() {
         js_delete(data());
         setReservedSlot(DATA_SLOT, PrivateValue(nullptr));
@@ -3087,18 +3088,18 @@ Deserialize(JSContext* cx, unsigned argc
             if (!str)
                 return false;
             auto maybeScope = ParseCloneScope(cx, str);
             if (!maybeScope) {
                 JS_ReportErrorASCII(cx, "Invalid structured clone scope");
                 return false;
             }
 
-            if (fuzzingSafe && *maybeScope < scope) {
-                JS_ReportErrorASCII(cx, "Fuzzing builds must not set less restrictive scope "
+            if (*maybeScope < scope) {
+                JS_ReportErrorASCII(cx, "Cannot use less restrictive scope "
                                     "than the deserialized clone buffer's scope");
                 return false;
             }
 
             scope = *maybeScope;
         }
     }