corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1970154 - Streams Realm Handling Improvements r=saschanaz,jonco, a=dsmith DONTBUILD

Browse Source 
Make TransferArrayBuffer cautious, and remove overzealous assert in JS_GetArrayBufferViewBuffer

Differential Revision: https://phabricator.services.mozilla.com/D253288
This commit is contained in:
Matthew Gaudet
2025-07-30 16:34:23 +00:00
committed by dsmith@mozilla.com
parent 47e3221ff1
commit b8bf3faaee
2 changed files with 26 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
dom/streams/ByteStreamHelpers.cpp
View File

@@ -16,23 +16,35 @@ namespace mozilla::dom {
// https://streams.spec.whatwg.org/#transfer-array-buffer
// As some parts of the specifcation want to use the abrupt completion value,
// this function may leave a pending exception if it returns nullptr.
//
// This can be called with a CCW to an ArrayBuffer Object as we handle the
// case explicitly.
JSObject* TransferArrayBuffer(JSContext* aCx, JS::Handle<JSObject*> aObject) {
MOZ_ASSERT(JS::IsArrayBufferObject(aObject));
JS::Rooted<JSObject*> unwrappedObj(aCx, JS::UnwrapArrayBuffer(aObject));
if (!unwrappedObj) {
js::ReportAccessDenied(aCx);
return nullptr;
}
size_t bufferLength = 0;
UniquePtr<void, JS::FreePolicy> bufferData;
{
JSAutoRealm ar(aCx, unwrappedObj);
// Step 1.
MOZ_ASSERT(!JS::IsDetachedArrayBufferObject(aObject));
MOZ_ASSERT(!JS::IsDetachedArrayBufferObject(unwrappedObj));
// Step 3 (Reordered)
size_t bufferLength = JS::GetArrayBufferByteLength(aObject);
bufferLength = JS::GetArrayBufferByteLength(unwrappedObj);
// Step 2 (Reordered)
UniquePtr<void, JS::FreePolicy> bufferData{
JS::StealArrayBufferContents(aCx, aObject)};
bufferData.reset(JS::StealArrayBufferContents(aCx, unwrappedObj));
// Step 4.
if (!JS::DetachArrayBuffer(aCx, aObject)) {
if (!JS::DetachArrayBuffer(aCx, unwrappedObj)) {
return nullptr;
}
}
// Step 5.
return JS::NewArrayBufferWithContents(aCx, bufferLength,

1
js/src/vm/ArrayBufferViewObject.cpp
View File

@@ -450,7 +450,6 @@ JS_PUBLIC_API JSObject* JS_GetArrayBufferViewBuffer(JSContext* cx,
bool* isSharedMemory) {
AssertHeapIsIdle();
CHECK_THREAD(cx);
cx->check(obj);
Rooted<ArrayBufferViewObject*> unwrappedView(
cx, obj->maybeUnwrapAs<ArrayBufferViewObject>());