Closed Bug 1512410 Opened 5 years ago Closed 5 years ago

Need to check object realm when doing a NewObjectCache lookup

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox65 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(2 files)

Bug 1512410 part 1 - Add a realm check to the NewObjectCache to fix a bug with same-compartment realms. r?luke
47 bytes, text/x-phabricator-request
Details | Review
Bug 1512410 part 2 - Don't create a TypeNewScript for cross-realm constructors, add more asserts. r?luke
47 bytes, text/x-phabricator-request
Details | Review 
Enabling same-compartment-realms for system realms uncovered a fun bug: the NewObjectCache lookup is based on clasp + one of proto/group/global. If we do the lookup based on the proto, the cache can incorrectly return a cross-realm object with same-compartment-realms. I'll try to write a shell test.
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c24a1c1237ba
part 1 - Add a realm check to the NewObjectCache to fix a bug with same-compartment realms. r=luke
https://hg.mozilla.org/integration/autoland/rev/09493e80dbe7
part 2 - Don't create a TypeNewScript for cross-realm constructors, add more asserts. r=luke
https://hg.mozilla.org/mozilla-central/rev/c24a1c1237ba
https://hg.mozilla.org/mozilla-central/rev/09493e80dbe7
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox65: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: