Bug 1470250 part 1 - Use correct realm in ObjectGroupRealm::makeGroup…

…. r=luke
dothq · Jun 26, 2018 · c3d78df · c3d78df
1 parent 43bc59c
commit c3d78df
Show file tree

Hide file tree

Showing 10 changed files with 43 additions and 31 deletions.
diff --git a/js/src/builtin/MapObject.cpp b/js/src/builtin/MapObject.cpp
@@ -376,7 +376,8 @@ MapIteratorObject::createResultPair(JSContext* cx)
         return nullptr;
 
     Rooted<TaggedProto> proto(cx, resultPairObj->taggedProto());
-    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, resultPairObj->getClass(), proto);
+    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, resultPairObj->realm(),
+                                                     resultPairObj->getClass(), proto);
     if (!group)
         return nullptr;
     resultPairObj->setGroup(group);
@@ -1207,7 +1208,8 @@ SetIteratorObject::createResult(JSContext* cx)
         return nullptr;
 
     Rooted<TaggedProto> proto(cx, resultObj->taggedProto());
-    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, resultObj->getClass(), proto);
+    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, resultObj->realm(),
+                                                     resultObj->getClass(), proto);
     if (!group)
         return nullptr;
     resultObj->setGroup(group);

diff --git a/js/src/vm/EnvironmentObject.cpp b/js/src/vm/EnvironmentObject.cpp
@@ -145,9 +145,8 @@ CallObject::createSingleton(JSContext* cx, HandleShape shape)
     MOZ_ASSERT(CanBeFinalizedInBackground(kind, &CallObject::class_));
     kind = gc::GetBackgroundAllocKind(kind);
 
-    ObjectGroupRealm& realm = ObjectGroupRealm::getForNewObject(cx);
-    RootedObjectGroup group(cx, ObjectGroup::lazySingletonGroup(cx, realm, &class_,
-                                                                TaggedProto(nullptr)));
+    RootedObjectGroup group(cx, ObjectGroup::lazySingletonGroup(cx, /* oldGroup = */ nullptr,
+                                                                &class_, TaggedProto(nullptr)));
     if (!group)
         return nullptr;
 

diff --git a/js/src/vm/Iteration.cpp b/js/src/vm/Iteration.cpp
@@ -980,7 +980,8 @@ Realm::getOrCreateIterResultTemplateObject(JSContext* cx)
 
     // Create a new group for the template.
     Rooted<TaggedProto> proto(cx, templateObject->taggedProto());
-    RootedObjectGroup group(cx, ObjectGroupRealm::makeGroup(cx, templateObject->getClass(),
+    RootedObjectGroup group(cx, ObjectGroupRealm::makeGroup(cx, templateObject->realm(),
+                                                            templateObject->getClass(),
                                                             proto));
     if (!group)
         return iterResultTemplate_; // = nullptr

diff --git a/js/src/vm/JSObject-inl.h b/js/src/vm/JSObject-inl.h
@@ -158,8 +158,7 @@ JSObject::setSingleton(JSContext* cx, js::HandleObject obj)
 {
     MOZ_ASSERT(!IsInsideNursery(obj));
 
-    js::ObjectGroupRealm& realm = js::ObjectGroupRealm::get(obj->group_);
-    js::ObjectGroup* group = js::ObjectGroup::lazySingletonGroup(cx, realm, obj->getClass(),
+    js::ObjectGroup* group = js::ObjectGroup::lazySingletonGroup(cx, obj->group_, obj->getClass(),
                                                                  obj->taggedProto());
     if (!group)
         return false;

diff --git a/js/src/vm/JSObject.cpp b/js/src/vm/JSObject.cpp
@@ -2109,7 +2109,7 @@ SetClassAndProto(JSContext* cx, HandleObject obj,
         // group so we can keep track of the interpreted function for Ion
         // inlining.
         MOZ_ASSERT(obj->is<JSFunction>());
-        newGroup = ObjectGroupRealm::makeGroup(cx, &JSFunction::class_, proto);
+        newGroup = ObjectGroupRealm::makeGroup(cx, oldGroup->realm(), &JSFunction::class_, proto);
         if (!newGroup)
             return false;
         newGroup->setInterpretedFunction(oldGroup->maybeInterpretedFunction());
@@ -2145,8 +2145,7 @@ JSObject::changeToSingleton(JSContext* cx, HandleObject obj)
 
     MarkObjectGroupUnknownProperties(cx, obj->group());
 
-    ObjectGroupRealm& realm = ObjectGroupRealm::get(obj->group());
-    ObjectGroup* group = ObjectGroup::lazySingletonGroup(cx, realm, obj->getClass(),
+    ObjectGroup* group = ObjectGroup::lazySingletonGroup(cx, obj->group(), obj->getClass(),
                                                          obj->taggedProto());
     if (!group)
         return false;

diff --git a/js/src/vm/ObjectGroup.cpp b/js/src/vm/ObjectGroup.cpp
@@ -324,8 +324,8 @@ JSObject::makeLazyGroup(JSContext* cx, HandleObject obj)
         initialFlags |= OBJECT_FLAG_LENGTH_OVERFLOW;
 
     Rooted<TaggedProto> proto(cx, obj->taggedProto());
-    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, obj->getClass(), proto,
-                                                     initialFlags);
+    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, obj->nonCCWRealm(), obj->getClass(),
+                                                     proto, initialFlags);
     if (!group)
         return nullptr;
 
@@ -580,7 +580,8 @@ ObjectGroup::defaultNewGroup(JSContext* cx, const Class* clasp,
         initialFlags = OBJECT_FLAG_DYNAMIC_MASK;
 
     Rooted<TaggedProto> protoRoot(cx, proto);
-    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, clasp ? clasp : &PlainObject::class_,
+    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, cx->realm(),
+                                                     clasp ? clasp : &PlainObject::class_,
                                                      protoRoot, initialFlags);
     if (!group)
         return nullptr;
@@ -623,9 +624,13 @@ ObjectGroup::defaultNewGroup(JSContext* cx, const Class* clasp,
 }
 
 /* static */ ObjectGroup*
-ObjectGroup::lazySingletonGroup(JSContext* cx, ObjectGroupRealm& realm, const Class* clasp,
+ObjectGroup::lazySingletonGroup(JSContext* cx, ObjectGroup* oldGroup, const Class* clasp,
                                 TaggedProto proto)
 {
+    ObjectGroupRealm& realm = oldGroup
+                              ? ObjectGroupRealm::get(oldGroup)
+                              : ObjectGroupRealm::getForNewObject(cx);
+
     MOZ_ASSERT_IF(proto.isObject(), cx->compartment() == proto.toObject()->compartment());
 
     ObjectGroupRealm::NewTable*& table = realm.lazyTable;
@@ -656,7 +661,9 @@ ObjectGroup::lazySingletonGroup(JSContext* cx, ObjectGroupRealm& realm, const Cl
 
     Rooted<TaggedProto> protoRoot(cx, proto);
     ObjectGroup* group =
-        ObjectGroupRealm::makeGroup(cx, clasp, protoRoot,
+        ObjectGroupRealm::makeGroup(cx,
+                                    oldGroup ? oldGroup->realm() : cx->realm(),
+                                    clasp, protoRoot,
                                     OBJECT_FLAG_SINGLETON | OBJECT_FLAG_LAZY_SINGLETON);
     if (!group)
         return nullptr;
@@ -883,7 +890,7 @@ ObjectGroup::newArrayObject(JSContext* cx,
         if (!proto)
             return nullptr;
         Rooted<TaggedProto> taggedProto(cx, TaggedProto(proto));
-        group = ObjectGroupRealm::makeGroup(cx, &ArrayObject::class_, taggedProto);
+        group = ObjectGroupRealm::makeGroup(cx, cx->realm(), &ArrayObject::class_, taggedProto);
         if (!group)
             return nullptr;
 
@@ -1210,7 +1217,8 @@ ObjectGroup::newPlainObject(JSContext* cx, IdValuePair* properties, size_t nprop
             return nullptr;
 
         Rooted<TaggedProto> tagged(cx, TaggedProto(proto));
-        RootedObjectGroup group(cx, ObjectGroupRealm::makeGroup(cx, &PlainObject::class_,
+        RootedObjectGroup group(cx, ObjectGroupRealm::makeGroup(cx, cx->realm(),
+                                                                &PlainObject::class_,
                                                                 tagged));
         if (!group)
             return nullptr;
@@ -1485,7 +1493,8 @@ ObjectGroup::allocationSiteGroup(JSContext* cx, JSScript* scriptArg, jsbytecode*
     AutoEnterAnalysis enter(cx);
 
     Rooted<TaggedProto> tagged(cx, TaggedProto(proto));
-    ObjectGroup* res = ObjectGroupRealm::makeGroup(cx, GetClassForProtoKey(kind), tagged,
+    ObjectGroup* res = ObjectGroupRealm::makeGroup(cx, script->realm(),
+                                                   GetClassForProtoKey(kind), tagged,
                                                    OBJECT_FLAG_FROM_ALLOCATION_SITE);
     if (!res)
         return nullptr;
@@ -1689,7 +1698,7 @@ ObjectGroupRealm::replaceDefaultNewGroup(const Class* clasp, TaggedProto proto,
 
 /* static */
 ObjectGroup*
-ObjectGroupRealm::makeGroup(JSContext* cx, const Class* clasp,
+ObjectGroupRealm::makeGroup(JSContext* cx, Realm* realm, const Class* clasp,
                             Handle<TaggedProto> proto,
                             ObjectGroupFlags initialFlags /* = 0 */)
 {
@@ -1698,7 +1707,7 @@ ObjectGroupRealm::makeGroup(JSContext* cx, const Class* clasp,
     ObjectGroup* group = Allocate<ObjectGroup>(cx);
     if (!group)
         return nullptr;
-    new(group) ObjectGroup(clasp, proto, cx->realm(), initialFlags);
+    new(group) ObjectGroup(clasp, proto, realm, initialFlags);
 
     return group;
 }
@@ -1724,7 +1733,7 @@ ObjectGroupRealm::getStringSplitStringGroup(JSContext* cx)
         return nullptr;
     Rooted<TaggedProto> tagged(cx, TaggedProto(proto));
 
-    group = makeGroup(cx, clasp, tagged, /* initialFlags = */ 0);
+    group = makeGroup(cx, cx->realm(), clasp, tagged, /* initialFlags = */ 0);
     if (!group)
         return nullptr;
 

diff --git a/js/src/vm/ObjectGroup.h b/js/src/vm/ObjectGroup.h
@@ -533,7 +533,7 @@ class ObjectGroup : public gc::TenuredCell
     static ObjectGroup* defaultNewGroup(JSContext* cx, const Class* clasp,
                                         TaggedProto proto,
                                         JSObject* associated = nullptr);
-    static ObjectGroup* lazySingletonGroup(JSContext* cx, ObjectGroupRealm& realm,
+    static ObjectGroup* lazySingletonGroup(JSContext* cx, ObjectGroup* oldGroup,
                                            const Class* clasp, TaggedProto proto);
 
     static void setDefaultNewGroupUnknown(JSContext* cx, ObjectGroupRealm& realm,
@@ -699,7 +699,7 @@ class ObjectGroupRealm
     void replaceDefaultNewGroup(const Class* clasp, TaggedProto proto, JSObject* associated,
                                 ObjectGroup* group);
 
-    static ObjectGroup* makeGroup(JSContext* cx, const Class* clasp,
+    static ObjectGroup* makeGroup(JSContext* cx, JS::Realm* realm, const Class* clasp,
                                   Handle<TaggedProto> proto,
                                   ObjectGroupFlags initialFlags = 0);
 

diff --git a/js/src/vm/RegExpObject.cpp b/js/src/vm/RegExpObject.cpp
@@ -1229,7 +1229,8 @@ RegExpRealm::createMatchResultTemplateObject(JSContext* cx)
 
     // Create a new group for the template.
     Rooted<TaggedProto> proto(cx, templateObject->taggedProto());
-    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, templateObject->getClass(), proto);
+    ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, templateObject->realm(),
+                                                     templateObject->getClass(), proto);
     if (!group)
         return matchResultTemplateObject_; // = nullptr
     templateObject->setGroup(group);

diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
@@ -3476,7 +3476,7 @@ JSFunction::setTypeForScriptedFunction(JSContext* cx, HandleFunction fun,
     } else {
         RootedObject funProto(cx, fun->staticPrototype());
         Rooted<TaggedProto> taggedProto(cx, TaggedProto(funProto));
-        ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, &JSFunction::class_,
+        ObjectGroup* group = ObjectGroupRealm::makeGroup(cx, fun->realm(), &JSFunction::class_,
                                                          taggedProto);
         if (!group)
             return false;
@@ -3995,8 +3995,8 @@ TypeNewScript::maybeAnalyze(JSContext* cx, ObjectGroup* group, bool* regenerate,
     ObjectGroupFlags initialFlags = group->flags(sweep) & OBJECT_FLAG_DYNAMIC_MASK;
 
     Rooted<TaggedProto> protoRoot(cx, group->proto());
-    ObjectGroup* initialGroup = ObjectGroupRealm::makeGroup(cx, group->clasp(), protoRoot,
-                                                            initialFlags);
+    ObjectGroup* initialGroup = ObjectGroupRealm::makeGroup(cx, group->realm(), group->clasp(),
+                                                            protoRoot, initialFlags);
     if (!initialGroup)
         return false;
 

diff --git a/js/src/vm/UnboxedObject.cpp b/js/src/vm/UnboxedObject.cpp
@@ -572,7 +572,8 @@ UnboxedLayout::makeNativeGroup(JSContext* cx, ObjectGroup* group)
     // slot accesses later on for sites that see converted objects from this
     // group and objects that were allocated using the replacement new group.
     if (layout.newScript()) {
-        replacementGroup = ObjectGroupRealm::makeGroup(cx, &PlainObject::class_, proto);
+        replacementGroup = ObjectGroupRealm::makeGroup(cx, group->realm(), &PlainObject::class_,
+                                                       proto);
         if (!replacementGroup)
             return false;
 
@@ -597,7 +598,8 @@ UnboxedLayout::makeNativeGroup(JSContext* cx, ObjectGroup* group)
         RootedScript script(cx, layout.allocationScript());
         jsbytecode* pc = layout.allocationPc();
 
-        replacementGroup = ObjectGroupRealm::makeGroup(cx, &PlainObject::class_, proto);
+        replacementGroup = ObjectGroupRealm::makeGroup(cx, group->realm(), &PlainObject::class_,
+                                                       proto);
         if (!replacementGroup)
             return false;
 
@@ -638,7 +640,7 @@ UnboxedLayout::makeNativeGroup(JSContext* cx, ObjectGroup* group)
     }
 
     ObjectGroup* nativeGroup =
-        ObjectGroupRealm::makeGroup(cx, &PlainObject::class_, proto,
+        ObjectGroupRealm::makeGroup(cx, group->realm(), &PlainObject::class_, proto,
                                     group->flags(sweep) & OBJECT_FLAG_DYNAMIC_MASK);
     if (!nativeGroup)
         return false;