Bug 1512410 part 1 - Add a realm check to the NewObjectCache to fix a bug with same-compartment realms. r=luke
authorJan de Mooij <jdemooij@mozilla.com>
Sat, 08 Dec 2018 18:06:17 +0000
changeset 508878 c24a1c1237babf78b65f6331579ee8d9b5607432
parent 508877 27f608825f9b06148d980d28eb934a01fc1e0070
child 508879 09493e80dbe7c1486eb3c93960cc81f73c8c5356
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs1512410
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1512410 part 1 - Add a realm check to the NewObjectCache to fix a bug with same-compartment realms. r=luke Differential Revision: https://phabricator.services.mozilla.com/D13903
js/src/jit-test/tests/realms/basic.js
js/src/vm/Caches-inl.h
--- a/js/src/jit-test/tests/realms/basic.js
+++ b/js/src/jit-test/tests/realms/basic.js
@@ -38,8 +38,19 @@ function testSystemNonSystemRealms() {
     try {
         systemRealm = newGlobal({systemPrincipal: true, sameCompartmentAs: this});
     } catch(e) {
         ex = e;
     }
     assertEq(ex.toString().includes("non-system realms"), true);
 }
 testSystemNonSystemRealms();
+
+function testNewObjectCache() {
+    // NewObjectCache lookup based on the proto should not return a cross-realm
+    // object.
+    var g = newGlobal({sameCompartmentAs: this});
+    var o1 = g.evaluate("Object.create(Math)");
+    var o2 = Object.create(g.Math);
+    assertEq(objectGlobal(o1), g);
+    assertEq(objectGlobal(o2), this);
+}
+testNewObjectCache();
--- a/js/src/vm/Caches-inl.h
+++ b/js/src/vm/Caches-inl.h
@@ -48,16 +48,22 @@ inline NativeObject* NewObjectCache::new
   NativeObject* templateObj =
       reinterpret_cast<NativeObject*>(&entry->templateObject);
 
   // Do an end run around JSObject::group() to avoid doing AutoUnprotectCell
   // on the templateObj, which is not a GC thing and can't use
   // runtimeFromAnyThread.
   ObjectGroup* group = templateObj->group_;
 
+  // If we did the lookup based on the proto we might have a group/object from a
+  // different (same-compartment) realm, so we have to do a realm check.
+  if (group->realm() != cx->realm()) {
+    return nullptr;
+  }
+
   MOZ_ASSERT(!group->hasUnanalyzedPreliminaryObjects());
 
   {
     AutoSweepObjectGroup sweepGroup(group);
     if (group->shouldPreTenure(sweepGroup)) {
       heap = gc::TenuredHeap;
     }
   }