Closed Bug 863847 Opened 11 years ago Closed 10 years ago

Expose transplant to fuzzers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: billm, Assigned: billm)

Details

Attachments

(1 file, 1 obsolete file)

patch v1
4.43 KB, patch
bholley
: review+
Details | Diff | Splinter Review
Attached patch patch (obsolete) — Splinter Review 
This would be nice for testing. I restricted transplants to things of class ObjectClass that are not on anyone's prototype chain. It's only available in the shell--not the browser.
Attachment #739766 - Flags: review?(bobbyholley+bmo)
Comment on attachment 739766 [details] [diff] [review]
patch

Review of attachment 739766 [details] [diff] [review]:
-----------------------------------------------------------------

Where is the implementation of the restrictions described in comment 0?

::: js/src/builtin/TestingFunctions.cpp
@@ +937,5 @@
> +        return false;
> +    }
> +
> +    /* Unwrap the argument, as it may be in another compartment. */
> +    RootedObject source(cx, UncheckedUnwrap(&args[0].toObject()));

You need to ReportUsageError if !args[0].isObject(), right? Otherwise this will assert.
Attachment #739766 - Flags: review?(bobbyholley+bmo) → review-
Attached patch patch v1Splinter Review 
Sorry, I forgot to qref.
Attachment #739766 - Attachment is obsolete: true
Attachment #740456 - Flags: review?(bobbyholley+bmo)
Comment on attachment 740456 [details] [diff] [review]
patch v1

Review of attachment 740456 [details] [diff] [review]:
-----------------------------------------------------------------

There may be other things that we don't support transplanting, but the cost of getting things wrong here is pretty low. r=bholley

::: js/src/jit-test/tests/basic/transplant1.js
@@ +1,1 @@
> +var orig = {a:1};

Maybe add brief comments to these. In this case, even just something like "Intra-compartment transplant".

::: js/src/shell/js.cpp
@@ +2622,5 @@
> +    /* Unwrap the argument, as it may be in another compartment. */
> +    RootedObject source(cx, UncheckedUnwrap(&args[0].toObject()));
> +    RootedObject comp(cx, argc == 2
> +                          ? UncheckedUnwrap(&args[1].toObject())
> +                          : cx->compartment->maybeGlobal());

Maybe this is just the XPConnect-er in me, but can we call this |scope|? |comp| implies a JSCompartment to me...
Attachment #740456 - Flags: review?(bobbyholley+bmo) → review+
billm: did you forget to land this r+'d patch from April 2013? Is it still relevant?
Flags: needinfo?(wmccloskey)
I think this code is just too delicate to test. I rebased the patch, but it's broken by GGC. I'm going to close this WONTFIX.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(wmccloskey)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: