diff options
author | Moonchild <moonchild@palemoon.org> | 2021-01-26 12:28:25 +0000 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2021-01-26 12:28:25 +0000 |
commit | b5fcf139d4cc100d1596fe0dc39f7f3e506b1f60 (patch) | |
tree | ae27258a2646f1c46ed31c880a4fcb2e5eaf8e2d | |
parent | 42ed248cd70e1868c7867bc423fc092306ace250 (diff) | |
download | uxp-b5fcf139d4cc100d1596fe0dc39f7f3e506b1f60.tar.gz |
[js] Add AutoEnterOOMUnsafeRegion to JS_TransplantObject.
Transplanting objects is inherently oom-unsafe, so add
`AutoEnterOOMUnsafeRegion` to `JS_TransplantObject()` and annotate crashes
accordingly if they do happen.
-rw-r--r-- | js/src/jsapi.cpp | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp index e9f86bde10..f4b3c98545 100644 --- a/js/src/jsapi.cpp +++ b/js/src/jsapi.cpp @@ -873,6 +873,9 @@ JS_TransplantObject(JSContext* cx, HandleObject origobj, HandleObject target) AutoDisableCompactingGC nocgc(cx); AutoDisableProxyCheck adpc(cx->runtime()); + + // Transplanting is never OOM-safe. + AutoEnterOOMUnsafeRegion oomUnsafe; JSCompartment* destination = target->compartment(); @@ -905,19 +908,22 @@ JS_TransplantObject(JSContext* cx, HandleObject origobj, HandleObject target) // Now, iterate through other scopes looking for references to the // old object, and update the relevant cross-compartment wrappers. if (!RemapAllWrappersForObject(cx, origobj, newIdentity)) - MOZ_CRASH(); + oomUnsafe.crash("JS_TransplantObject"); // Lastly, update the original object to point to the new one. if (origobj->compartment() != destination) { RootedObject newIdentityWrapper(cx, newIdentity); AutoCompartment ac(cx, origobj); - if (!JS_WrapObject(cx, &newIdentityWrapper)) - MOZ_CRASH(); + if (!JS_WrapObject(cx, &newIdentityWrapper)) { + MOZ_RELEASE_ASSERT(cx->isThrowingOutOfMemory() || + cx->isThrowingOverRecursed()); + oomUnsafe.crash("JS_TransplantObject"); + } MOZ_ASSERT(Wrapper::wrappedObject(newIdentityWrapper) == newIdentity); if (!JSObject::swap(cx, origobj, newIdentityWrapper)) MOZ_CRASH(); if (!origobj->compartment()->putWrapper(cx, CrossCompartmentKey(newIdentity), origv)) - MOZ_CRASH(); + oomUnsafe.crash("JS_TransplantObject"); } // The new identity object might be one of several things. Return it to avoid |