Bug 1103817 - Handle cross compartment references to JSScripts in JS_TraceIncomingCCWs. r=terrence

2024-09-13 09:24:08 -07:00 · 2014-12-05 17:11:30 -08:00 · 2014-12-05 17:11:30 -08:00 · a390d9a15d
commit a390d9a15d
parent 4973cdd919
2 changed files with 37 additions and 10 deletions
--- a/js/src/gc/Tracer.cpp
+++ b/js/src/gc/Tracer.cpp
@ -135,18 +135,40 @@ JS_TraceIncomingCCWs(JSTracer *trc, const JS::ZoneSet &zones)

            for (JSCompartment::WrapperEnum e(comp); !e.empty(); e.popFront()) {
                const CrossCompartmentKey &key = e.front().key();
-                // StringWrappers are just used to avoid copying strings across
-                // zones multiple times, and don't hold a strong reference.
-                if (key.kind == CrossCompartmentKey::StringWrapper)
+                JSObject *obj;
+                JSScript *script;
+
+                switch (key.kind) {
+                  case CrossCompartmentKey::StringWrapper:
+                    // StringWrappers are just used to avoid copying strings
+                    // across zones multiple times, and don't hold a strong
+                    // reference.
                    continue;
-                JSObject *obj = static_cast<JSObject *>(key.wrapped);
-                // Ignore CCWs whose wrapped value doesn't live in our given set
-                // of zones.
+
+                  case CrossCompartmentKey::ObjectWrapper:
+                  case CrossCompartmentKey::DebuggerObject:
+                  case CrossCompartmentKey::DebuggerSource:
+                  case CrossCompartmentKey::DebuggerEnvironment:
+                    obj = static_cast<JSObject *>(key.wrapped);
+                    // Ignore CCWs whose wrapped value doesn't live in our given
+                    // set of zones.
                    if (!zones.has(obj->zone()))
                        continue;

                    MarkObjectUnbarriered(trc, &obj, "cross-compartment wrapper");
                    MOZ_ASSERT(obj == key.wrapped);
+                    break;
+
+                  case CrossCompartmentKey::DebuggerScript:
+                    script = static_cast<JSScript *>(key.wrapped);
+                    // Ignore CCWs whose wrapped value doesn't live in our given
+                    // set of zones.
+                    if (!zones.has(script->zone()))
+                        continue;
+                    MarkScriptUnbarriered(trc, &script, "cross-compartment wrapper");
+                    MOZ_ASSERT(script == key.wrapped);
+                    break;
+                }
            }
        }
    }
--- a/js/src/jit-test/tests/debug/bug-1103817.js
+++ b/js/src/jit-test/tests/debug/bug-1103817.js
@ -0,0 +1,5 @@
+// Random chosen test: js/src/jit-test/tests/debug/Source-introductionScript-04.js
+x = (new Debugger).addDebuggee(newGlobal());
+print(x.getOwnPropertyDescriptor('Function').value.proto.script);
+// Random chosen test: js/src/jit-test/tests/debug/Memory-takeCensus-03.js
+(new Debugger).memory.takeCensus();