summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2021-01-26 12:28:25 +0000
committerMoonchild <moonchild@palemoon.org>2021-01-26 12:28:25 +0000
commit2f9e27a306be22f11dec8e8fec37f530205ad180 (patch)
treeae27258a2646f1c46ed31c880a4fcb2e5eaf8e2d
parent3a8b4ad00ad6cffba1129fcb23c926a7a924cbfa (diff)
downloadUXP-2f9e27a306be22f11dec8e8fec37f530205ad180.tar
UXP-2f9e27a306be22f11dec8e8fec37f530205ad180.tar.gz
UXP-2f9e27a306be22f11dec8e8fec37f530205ad180.tar.lz
UXP-2f9e27a306be22f11dec8e8fec37f530205ad180.tar.xz
UXP-2f9e27a306be22f11dec8e8fec37f530205ad180.zip
[js] Add AutoEnterOOMUnsafeRegion to JS_TransplantObject.
Transplanting objects is inherently oom-unsafe, so add `AutoEnterOOMUnsafeRegion` to `JS_TransplantObject()` and annotate crashes accordingly if they do happen.
Diffstat
-rw-r--r--js/src/jsapi.cpp14
1 files changed, 10 insertions, 4 deletions
diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
index e9f86bde1..f4b3c9854 100644
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -873,6 +873,9 @@ JS_TransplantObject(JSContext* cx, HandleObject origobj, HandleObject target)
AutoDisableCompactingGC nocgc(cx);
AutoDisableProxyCheck adpc(cx->runtime());
+
+ // Transplanting is never OOM-safe.
+ AutoEnterOOMUnsafeRegion oomUnsafe;
JSCompartment* destination = target->compartment();
@@ -905,19 +908,22 @@ JS_TransplantObject(JSContext* cx, HandleObject origobj, HandleObject target)
// Now, iterate through other scopes looking for references to the
// old object, and update the relevant cross-compartment wrappers.
if (!RemapAllWrappersForObject(cx, origobj, newIdentity))
- MOZ_CRASH();
+ oomUnsafe.crash("JS_TransplantObject");
// Lastly, update the original object to point to the new one.
if (origobj->compartment() != destination) {
RootedObject newIdentityWrapper(cx, newIdentity);
AutoCompartment ac(cx, origobj);
- if (!JS_WrapObject(cx, &newIdentityWrapper))
- MOZ_CRASH();
+ if (!JS_WrapObject(cx, &newIdentityWrapper)) {
+ MOZ_RELEASE_ASSERT(cx->isThrowingOutOfMemory() ||
+ cx->isThrowingOverRecursed());
+ oomUnsafe.crash("JS_TransplantObject");
+ }
MOZ_ASSERT(Wrapper::wrappedObject(newIdentityWrapper) == newIdentity);
if (!JSObject::swap(cx, origobj, newIdentityWrapper))
MOZ_CRASH();
if (!origobj->compartment()->putWrapper(cx, CrossCompartmentKey(newIdentity), origv))
- MOZ_CRASH();
+ oomUnsafe.crash("JS_TransplantObject");
}
// The new identity object might be one of several things. Return it to avoid
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-21 22:49:19 +0000