Mercurial > mozreview > gecko / changeset / 4e8f8b4fac6f69f399c488e936335cf597407907
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1201124: Unwrap objects before getting their fields in asm.js; r?luke draft
authorBenjamin Bouvier <benj@benj.me>
Fri, 14 Oct 2016 13:44:46 +0200
changeset 425379 4e8f8b4fac6f69f399c488e936335cf597407907
parent 425377 0a4a547ec3e80555fc847977258d7af7ab8e26a4
child 533910 ca90f28e7ef1a8e4ec035ebbc444b90a88517dd9
push id32414
push userbbouvier@mozilla.com
push dateFri, 14 Oct 2016 17:19:32 +0000
reviewersluke
bugs1201124
milestone52.0a1
Bug 1201124: Unwrap objects before getting their fields in asm.js; r?luke MozReview-Commit-ID: 8TyHcvq4wnD
js/src/asmjs/AsmJS.cpp file | annotate | diff | comparison | revisions
js/src/jit-test/tests/asm.js/bug1201124-simd-proxy.js file | annotate | diff | comparison | revisions 
--- a/js/src/asmjs/AsmJS.cpp
+++ b/js/src/asmjs/AsmJS.cpp
@@ -7404,23 +7404,30 @@ static bool
 LinkFail(JSContext* cx, const char* str)
 {
     JS_ReportErrorFlagsAndNumberASCII(cx, JSREPORT_WARNING, GetErrorMessage, nullptr,
                                       JSMSG_USE_ASM_LINK_FAIL, str);
     return false;
 }
 
 static bool
+IsMaybeWrappedScriptedProxy(JSObject* obj)
+{
+    JSObject* unwrapped = UncheckedUnwrap(obj);
+    return unwrapped && IsScriptedProxy(unwrapped);
+}
+
+static bool
 GetDataProperty(JSContext* cx, HandleValue objVal, HandleAtom field, MutableHandleValue v)
 {
     if (!objVal.isObject())
         return LinkFail(cx, "accessing property of non-object");
 
     RootedObject obj(cx, &objVal.toObject());
-    if (IsScriptedProxy(obj))
+    if (IsMaybeWrappedScriptedProxy(obj))
         return LinkFail(cx, "accessing property of a Proxy");
 
     Rooted<PropertyDescriptor> desc(cx);
     RootedId id(cx, AtomToId(field));
     if (!GetPropertyDescriptor(cx, obj, id, &desc))
         return false;
 
     if (!desc.object())
@@ -7685,18 +7692,16 @@ ValidateSimdType(JSContext* cx, const As
 {
     RootedValue _(cx);
     return ValidateSimdType(cx, global, globalVal, &_);
 }
 
 static bool
 ValidateSimdOperation(JSContext* cx, const AsmJSGlobal& global, HandleValue globalVal)
 {
-    // SIMD operations are loaded from the SIMD type, so the type must have been
-    // validated before the operation.
     RootedValue v(cx);
     JS_ALWAYS_TRUE(ValidateSimdType(cx, global, globalVal, &v));
 
     if (!GetDataProperty(cx, v, global.field(), &v))
         return false;
 
     Native native = nullptr;
     switch (global.simdOperationType()) {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/bug1201124-simd-proxy.js
@@ -0,0 +1,25 @@
+// |jit-test| test-also-noasmjs
+load(libdir + "asm.js");
+load(libdir + "asserts.js");
+
+if (typeof newGlobal !== 'function')
+    quit();
+
+var stdlib = new (newGlobal().Proxy)(this, new Proxy({
+    simdGet: 0,
+    getOwnPropertyDescriptor(t, pk) {
+        if (pk === "SIMD" && this.simdGet++ === 1) {
+            return {};
+        }
+        return Reflect.getOwnPropertyDescriptor(t, pk);
+    }
+}, {
+    get(t, pk, r) {
+        print("trap", pk);
+        return Reflect.get(t, pk, r);
+    }
+}));
+
+var m = asmCompile('stdlib', '"use asm"; var i4=stdlib.SIMD.Int32x4; var i4add=i4.add; return {}');
+
+assertAsmLinkFail(m, stdlib);
gecko
Deployed from af051c2a8da7 at 2024-04-29T16:08:02Z.