mozilla-unified: changeset 490681:3c04e96db3e6b2e13c7a46c35e98b6d24e2304ae

author	Jan de Mooij <jdemooij@mozilla.com>
	Fri, 19 Oct 2018 15:38:19 +0000
changeset 490681	3c04e96db3e6b2e13c7a46c35e98b6d24e2304ae
parent 490680	ad022c9aec53ad84e86d0164e1c3f100ae5449b1
child 490682	8c5a1943d169227e68598870bbe2fd3ee1d6dbea
push id	247
push user	fmarier@mozilla.com
push date	Sat, 27 Oct 2018 01:06:44 +0000
reviewers	luke
bugs	1496892
milestone	64.0a1

Bug 1496892 - Check script compartment instead of realm in TypeScript::SetArgument. r=luke We can call this for a cross-realm script when defining a property on an arguments object. Differential Revision: https://phabricator.services.mozilla.com/D9226

new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/realms/bug1496892.js
@@ -0,0 +1,4 @@
+(function(a) {
+    var g = newGlobal({sameCompartmentAs: this});
+    g.Object.defineProperty(arguments, "0", {value: g});
+})(0);

--- a/js/src/vm/TypeInference-inl.h
+++ b/js/src/vm/TypeInference-inl.h
@@ -854,17 +854,17 @@ TypeScript::SetThis(JSContext* cx, JSScr
 TypeScript::SetThis(JSContext* cx, JSScript* script, const js::Value& value)
 {
     SetThis(cx, script, TypeSet::GetValueType(value));
 }
 
 /* static */ inline void
 TypeScript::SetArgument(JSContext* cx, JSScript* script, unsigned arg, TypeSet::Type type)
 {
-    cx->check(script, type);
+    cx->check(script->compartment(), type);
 
     AutoSweepTypeScript sweep(script);
     StackTypeSet* types = ArgTypes(script, arg);
     if (!types) {
         return;
     }
 
     if (!types->hasType(type)) {

js/src/jit-test/tests/realms/bug1496892.js		file \| annotate \| diff \| comparison \| revisions
js/src/vm/TypeInference-inl.h		file \| annotate \| diff \| comparison \| revisions