diff options
Diffstat (limited to 'dom')
| -rw-r--r-- | dom/base/nsGlobalWindow.cpp | 14 | ||||
| -rw-r--r-- | dom/canvas/WebGLContextBuffers.cpp | 12 | ||||
| -rw-r--r-- | dom/indexedDB/IDBDatabase.cpp | 3 | ||||
| -rw-r--r-- | dom/indexedDB/IDBObjectStore.cpp | 23 |
4 files changed, 48 insertions, 4 deletions
diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp index afaa24f09..ec546f068 100644 --- a/dom/base/nsGlobalWindow.cpp +++ b/dom/base/nsGlobalWindow.cpp @@ -3224,6 +3224,12 @@ nsGlobalWindow::SetNewDocument(nsIDocument* aDocument, newInnerWindow->mLocalStorage = nullptr; newInnerWindow->mSessionStorage = nullptr; + newInnerWindow->mPerformance = nullptr; + + // This must be called after nulling the internal objects because + // we might recreate them here by calling the getter methods, and + // store them into the JS slots. If we null them after, the slot + // values and the objects will be out of sync. newInnerWindow->ClearDocumentDependentSlots(cx); } } else { @@ -3364,10 +3370,16 @@ nsGlobalWindow::InnerSetNewDocument(JSContext* aCx, nsIDocument* aDocument) } mDoc = aDocument; - ClearDocumentDependentSlots(aCx); mFocusedNode = nullptr; mLocalStorage = nullptr; mSessionStorage = nullptr; + mPerformance = nullptr; + + // This must be called after nulling the internal objects because we might + // recreate them here by calling the getter methods, and store them into the JS + // slots. If we null them after, the slot values and the objects will be + // out of sync. + ClearDocumentDependentSlots(aCx); #ifdef DEBUG mLastOpenedURI = aDocument->GetDocumentURI(); diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp index af506c01c..f53f9d7d7 100644 --- a/dom/canvas/WebGLContextBuffers.cpp +++ b/dom/canvas/WebGLContextBuffers.cpp @@ -9,6 +9,8 @@ #include "WebGLBuffer.h" #include "WebGLVertexArray.h" +#include "mozilla/CheckedInt.h" + namespace mozilla { WebGLRefPtr<WebGLBuffer>* @@ -345,6 +347,16 @@ WebGLContext::BufferData(GLenum target, WebGLsizeiptr size, GLenum usage) //// + const auto checkedSize = CheckedInt<size_t>(size); + if (!checkedSize.isValid()) + return ErrorOutOfMemory("%s: Size too large for platform.", funcName); + +#if defined(XP_MACOSX) + if (gl->WorkAroundDriverBugs() && size > 1200000000) { + return ErrorOutOfMemory("Allocations larger than 1200000000 fail on MacOS."); + } +#endif + const UniqueBuffer zeroBuffer(calloc(size, 1)); if (!zeroBuffer) return ErrorOutOfMemory("%s: Failed to allocate zeros.", funcName); diff --git a/dom/indexedDB/IDBDatabase.cpp b/dom/indexedDB/IDBDatabase.cpp index 5592e7f93..6ef352801 100644 --- a/dom/indexedDB/IDBDatabase.cpp +++ b/dom/indexedDB/IDBDatabase.cpp @@ -1257,6 +1257,9 @@ IDBDatabase::LastRelease() AssertIsOnOwningThread(); CloseInternal(); + + // Make sure that file actors created after the database was closed are expired. + ExpireFileActors(/* aExpireAll */ true); if (mBackgroundActor) { mBackgroundActor->SendDeleteMeInternal(); diff --git a/dom/indexedDB/IDBObjectStore.cpp b/dom/indexedDB/IDBObjectStore.cpp index f86c619a7..cbac30894 100644 --- a/dom/indexedDB/IDBObjectStore.cpp +++ b/dom/indexedDB/IDBObjectStore.cpp @@ -1114,7 +1114,7 @@ IDBObjectStore::AppendIndexUpdateInfo( } bool isArray; - if (!JS_IsArrayObject(aCx, val, &isArray)) { + if (NS_WARN_IF(!JS_IsArrayObject(aCx, val, &isArray))) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; } @@ -1127,8 +1127,25 @@ IDBObjectStore::AppendIndexUpdateInfo( } for (uint32_t arrayIndex = 0; arrayIndex < arrayLength; arrayIndex++) { - JS::Rooted<JS::Value> arrayItem(aCx); - if (NS_WARN_IF(!JS_GetOwnElement(aCx, array, arrayIndex, &arrayItem))) { + JS::RootedId indexId(aCx);
+ if (NS_WARN_IF(!JS_IndexToId(aCx, arrayIndex, &indexId))) {
+ IDB_REPORT_INTERNAL_ERR();
+ return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
+ }
+
+ bool hasOwnProperty;
+ if (NS_WARN_IF(
+ !JS_HasOwnPropertyById(aCx, array, indexId, &hasOwnProperty))) {
+ IDB_REPORT_INTERNAL_ERR();
+ return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
+ }
+
+ if (!hasOwnProperty) {
+ continue;
+ }
+
+ JS::RootedValue arrayItem(aCx);
+ if (NS_WARN_IF(!JS_GetPropertyById(aCx, array, indexId, &arrayItem))) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; } |