[mq]: assert-nongray draft
authorBoris Zbarsky <bzbarsky@mit.edu>
Mon, 11 Feb 2019 10:31:32 -0500
changeset 1836720 99bdb3b9ebe8831c3c2ed259391bcf47321703b2
parent 1836566 4cb10609ae0255964492ceff16914452b54ed778
child 1836721 3801ad7dbcc9c8fcfbb01802c51167e8f31fa03f
push id333565
push userbzbarsky@mozilla.com
push dateMon, 11 Feb 2019 15:31:50 +0000
treeherdertry@3801ad7dbcc9 [default view] [failures only]
milestone67.0a1
[mq]: assert-nongray
js/src/proxy/Wrapper.cpp
--- a/js/src/proxy/Wrapper.cpp
+++ b/js/src/proxy/Wrapper.cpp
@@ -272,16 +272,17 @@ bool ForwardingProxyHandler::isConstruct
 
 JSObject* Wrapper::New(JSContext* cx, JSObject* obj, const Wrapper* handler,
                        const WrapperOptions& options) {
   // If this is a cross-compartment wrapper allocate it in the compartment's
   // first realm. See Realm::realmForNewCCW.
   mozilla::Maybe<AutoRealmUnchecked> ar;
   if (handler->isCrossCompartmentWrapper()) {
     ar.emplace(cx, cx->compartment()->realmForNewCCW());
+    JS::AssertCellIsNotGray(JS::CurrentGlobalOrNull(cx));
   }
   RootedValue priv(cx, ObjectValue(*obj));
   return NewProxyObject(cx, handler, priv, options.proto(), options);
 }
 
 JSObject* Wrapper::Renew(JSObject* existing, JSObject* obj,
                          const Wrapper* handler) {
   existing->as<ProxyObject>().renew(handler, ObjectValue(*obj));