diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-03-17 10:47:56 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-03-17 10:47:56 +0100 |
commit | 56bcb6b5af91696e2700b6477db2473b5921bce1 (patch) | |
tree | f3d1714b551641951b34d0126ec65164171a5612 /js/src/builtin/Eval.cpp | |
parent | e4c64e1a3dd007880ccd12a4273baae9b4380519 (diff) | |
download | UXP-56bcb6b5af91696e2700b6477db2473b5921bce1.tar UXP-56bcb6b5af91696e2700b6477db2473b5921bce1.tar.gz UXP-56bcb6b5af91696e2700b6477db2473b5921bce1.tar.lz UXP-56bcb6b5af91696e2700b6477db2473b5921bce1.tar.xz UXP-56bcb6b5af91696e2700b6477db2473b5921bce1.zip |
Handle same-compartment wrappers in TypedArray methods.
CallTypedArrayMethodIfWrapped (and the CallNonGeneric machinery throughout the
engine) unwraps the `this` argument, but the other arguments are only rewrapped
for the target compartment.
The pattern being used before this patch to get the length of a TypedArray or
possible TypedArray wrapper is:
`callFunction(CallTypedArrayMethodIfWrapped, O, O, "TypedArrayLength")`
The first `O` is the `this` value and the second is an argument. If `O` is a
cross-compartment wrapper, this works fine. The first `O` is unwrapped, revealing
the actual TypedArray object; the second `O` is rewrapped for that TypedArray's
compartment, producing the same TypedArray.
However, if `O` is a same-compartment wrapper, this doesn't work. The first `O` is
unwrapped, revealing the actual TypedArray object in the same compartment;
rewrapping the other `O` does nothing to it, since it is already an object in the
target compartment. Thus TypedArrayLength receives a `this` value that's an
unwrapped TypedArray, but an argument that is still a wrapper.
The fix is to have CallTypedArrayMethodIfWrapped targets only expect `this`
to be an unwrapped TypedArray.
Diffstat (limited to 'js/src/builtin/Eval.cpp')
0 files changed, 0 insertions, 0 deletions