Bug 1540944 - Get new group from the correct realm in SetProto. r=luke a=pascalc
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 02 Apr 2019 19:41:07 +0000
changeset 525975 e0f62b77623697545dd2eb5c7e061a65a723f68e
parent 525974 2c01eafb7bb89195e76f6ea8daf817496b27ec44
child 525976 ad953d1d63f6d9fda6b4483a16632d8938a966f4
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke, pascalc
bugs1540944
milestone67.0
Bug 1540944 - Get new group from the correct realm in SetProto. r=luke a=pascalc Differential Revision: https://phabricator.services.mozilla.com/D25803
js/src/jit-test/tests/realms/basic.js
js/src/vm/JSObject-inl.h
js/src/vm/JSObject.cpp
--- a/js/src/jit-test/tests/realms/basic.js
+++ b/js/src/jit-test/tests/realms/basic.js
@@ -99,8 +99,16 @@ function testEvalcx() {
              ex.toString().includes("visibility"), true);
 
     // Bug 1524707.
     var lazysb = evalcx("lazy");
     Object.setPrototypeOf(lazysb, Math);
     assertEq(lazysb.__proto__, Math);
 }
 testEvalcx();
+
+function testSetProto() {
+    var o = {};
+    o.__proto__ = newGlobal();
+    o.__proto__ = newGlobal();
+    assertEq(objectGlobal(o), this);
+}
+testSetProto();
--- a/js/src/vm/JSObject-inl.h
+++ b/js/src/vm/JSObject-inl.h
@@ -155,17 +155,17 @@ js::NativeObject::updateDictionaryListPo
     return makeLazyGroup(cx, obj);
   }
   return obj->group_;
 }
 
 inline void JSObject::setGroup(js::ObjectGroup* group) {
   MOZ_RELEASE_ASSERT(group);
   MOZ_ASSERT(!isSingleton());
-  MOZ_ASSERT(compartment() == group->compartment());
+  MOZ_ASSERT(maybeCCWRealm() == group->realm());
   group_ = group;
 }
 
 /* * */
 
 inline bool JSObject::isQualifiedVarObj() const {
   if (is<js::DebugEnvironmentProxy>()) {
     return as<js::DebugEnvironmentProxy>().environment().isQualifiedVarObj();
--- a/js/src/vm/JSObject.cpp
+++ b/js/src/vm/JSObject.cpp
@@ -2203,16 +2203,17 @@ static bool SetProto(JSContext* cx, Hand
     MOZ_ASSERT(obj->is<JSFunction>());
     newGroup = ObjectGroupRealm::makeGroup(cx, oldGroup->realm(),
                                            &JSFunction::class_, proto);
     if (!newGroup) {
       return false;
     }
     newGroup->setInterpretedFunction(oldGroup->maybeInterpretedFunction());
   } else {
+    AutoRealm ar(cx, oldGroup);
     newGroup = ObjectGroup::defaultNewGroup(cx, obj->getClass(), proto);
     if (!newGroup) {
       return false;
     }
   }
 
   obj->setGroup(newGroup);