This is also better security-wise: if we're writing the structured clone in some compartment that shouldn't have access to the underlying data of the ImageData, we shouldn't be giving that access here.
The problem we're solving here: getting/entering the realm/global of a cross-compartment wrapper doesn't make sense once there are multiple realms in a compartment and the CCW will be shared by all of them. Because nsXPCWrappedJS can store a CCW, we will no longer be able to use this JSObject to enter the target realm.
What this patch does: we pass a JSContext* to nsXPCWrappedJS::GetNewOrUsed and we use this to store a global object in nsXPCWrappedJS (with the invariant that the object and global stored in nsXPCWrappedJS are same-compartment). Then when we want to enter the nsXPCWrappedJS's target realm, we use this global object instead of the maybe-CCW object. Because we currently still have one realm per compartment and the objects are same-compartment, this is guaranteed to preserve behavior for now.
nsXPCWrappedJS has some code to deal with weak pointers. Fortunately this applies only to root wrappers and root wrappers always store an unwrapped JSObject, so the extra global we store is guaranteed to be marked by the GC in that case (a global object is never collected when there are live JSObjects belonging to the same realm).
We want to be able to enter the Realm we were in when the callback was created
before calling it, but if the callback stores a cross-compartment wrapper we
don't really have a good way to find that Realm. So we store it explicitly by
storing a global when the callback is created.
The changes to the constructor signatures to use JSObject* instead of
JS::Handle<JSObject*> are so we can avoid having to root the global for these
calls. These changes make two of the constructors ambiguous when nullptr is
being passed for the first arg; this patch adds casts to disambiguate.
We can't use memcmp to compare PODs, largely because of undefined
padding. The rest of the Pod* functions are fine though, since we're
replicating or zeroing PODs.
MozReview-Commit-ID: LSspAi8qCWw
This removes AutoMaybeEnterFrameRealm. Most places pass cx->realm->principals: it preserves behavior when the (possibly wrapped) SavedFrame and cx are same-compartment. The main exception is the JSStackFrame DOM bindings code where we have to be a bit smarter about which principals to use.
The stack object might be a CCW and we want to make it impossible to get a CCW's global. Now the caller has to supply a same-compartment global object, so we no longer rely on getting the CCW's global.
The IterableIterator helper currently only supports iterator methods which
return types which are supported by ToJSValue, but do not need a JSContext* to
construct them. That means that getters which need to return native JS objects
or values can't do so safely, or without resorting to hacks.
This patch adds templated helpers which will call a JSContext-accepting,
JS::Value-returning version of the getter methods if they exist, and fall back
to the simpler versions if they don't.
MozReview-Commit-ID: hedZOc3lqR
--HG--
extra : rebase_source : b92cdc3900b3c9bee41836af4d4b9f4e65f3d5f6
This is the first basic implementation of a shared-memory key-value store for
JS message managers. It has one read-write endpoint in the parent process, and
separate read-only endpoints for each child-process message manager.
Changes to the parent endpoint are broadcast to the children as snapshots.
Each snapshot triggers a "change" event with a list of changed keys.
It currently has the following limitations:
- It only supports basic structured clone data. There's no support for blobs,
input streams, message ports... Blob support will be added in a follow-up
patch.
- Changes are currently only broadcast to child endpoints when flush() is
explicitly called in the parent, or when new child processes are launched.
In a follow-up, this will be changed to automatically flush after changes
when the event loop is idle.
- All set operations clone their inputs synchronously, which means that
there's no trivial way for callers to batch multiple changes to a single key
without some additional effort. It might be useful to add a
delayed-serialization option to the .set() call in a follow-up, for callers
who are sure they know what they're doing.
MozReview-Commit-ID: IM8a3UgejXU
--HG--
extra : rebase_source : 66c92d538a5485349bc789028fdc3a6806bc5d5a
extra : source : 2ebaf5f8c6055b11b11d7ec334d54ee941115d48
This is the first basic implementation of a shared-memory key-value store for
JS message managers. It has one read-write endpoint in the parent process, and
separate read-only endpoints for each child-process message manager.
Changes to the parent endpoint are broadcast to the children as snapshots.
Each snapshot triggers a "change" event with a list of changed keys.
It currently has the following limitations:
- It only supports basic structured clone data. There's no support for blobs,
input streams, message ports... Blob support will be added in a follow-up
patch.
- Changes are currently only broadcast to child endpoints when flush() is
explicitly called in the parent, or when new child processes are launched.
In a follow-up, this will be changed to automatically flush after changes
when the event loop is idle.
- All set operations clone their inputs synchronously, which means that
there's no trivial way for callers to batch multiple changes to a single key
without some additional effort. It might be useful to add a
delayed-serialization option to the .set() call in a follow-up, for callers
who are sure they know what they're doing.
MozReview-Commit-ID: IM8a3UgejXU
--HG--
extra : rebase_source : 8e8b7891ca48e61b2d6ba3c05912064a909d9698
Summary:
The information returned is identical to
1- canPlayType() for file
2- MediaSource.isTypeSupported for media-source
3- MediaRecorder.isTypeRecorder() for recordings.
Depends on D1616
Tags: #secure-revision
Bug #: 1409664
Differential Revision: https://phabricator.services.mozilla.com/D1617
This will make sure that when running |mach python-test --python 3| locally,
we only run the tests that also run in CI with python 3 (and therefore pass
presumably).
MozReview-Commit-ID: 3OBr9yLSlSq
--HG--
extra : rebase_source : 456340d0ecdddf1078f2b5b4ebb1eddf3813b26a
This reduces memory usage because we only need one allocation instead of two
for the dynamic atom and its chars, and because we don't need to store a
refcount and a size. It precludes sharing of chars between dynamic atoms, but
we weren't benefiting much from that anyway.
This reduces per-process memory usage by up to several hundred KiB on my
Linux64 box.
One consequence of this change is that we need to allocate + copy in
DOMString::SetKnownLiveAtom(), which could make some things slower.
--HG--
extra : rebase_source : ba4065ea31e509dd985c003614199f73def0596c
This does mean that if the node is adopted back into the original document the
expandos would end up on the reflector at that point. I think that's OK;
people shouldn't be adopting things in that direction. Futhermore, if they
adopt, then set expandos, then adopt back they already get this behaviorl
So if we decide we don't want that, we should probably just avoid copying own
props when reparenting into a global whose principals don't subsume the old
global.
Some notes: this does not fully bring us to compliance to the current spec.
Instead, these are the fixes that I needed to make in order to make
css/geometry/interfaces.html pass with the DOMPoint changes in the previous
patches. I don't fully understand why that patch caused the test to fail the
way it did, but it ended up being easier to fix our code than understand why
the harness was falling over.
The DOMQuad::QuadBounds class was the source of some confusion for me. Now
that DOMRectReadOnly is a concrete class with members, I wanted to avoid
wasting them. However, the spec is unclear as to whether a DOMQuad's bound's
should be live -- that is because DOMQuad exposes DOMPoint, we can set its
points after retrieving a QuadBounds object. Our current code is live, setting
the points changes the QuadBounds. Chromium's current behavior is to never
update the QuadBounds object. I've left our behavior untouched in this patch
(and waste 4 doubles per QuadBounds object), but I am intending to file a bug
to understand what the intent of the spec is. I wonder if the author intended
the points to be DOMPointReadOnly instead. If so, we could simplify the
DOMRectReadOnly code and get rid of the virtual getters, which would be nice.
I also wasn't thrilled to put the DOMMatrix setters on the DOMMatrixReadOnly
class, but for brevity and simplicity of implementation, I've made them
public. I briefly considered making the setters protected on the ReadOnly
version of the class, but I'm not convinced that having to explicitly make
them public on the derived class is worth the extra copies of the names.
MozReview-Commit-ID: CjdW4Nbnc6A
--HG--
extra : rebase_source : 44489693afebff571a415b487e29fa6153288421
Inheriting PerThreadAtomCache on CycleCollectedJSContext permits use of
static_cast, avoiding one level of indirection compared to adding a
CycleCollectedJSContext* to PerThreadAtomCache.
PerThreadAtomCache is over 18kB, and so WorkerJSContext and WorkletJSContext
are moved from the stack to the heap.
MozReview-Commit-ID: 6jdJeZcviK4
--HG--
extra : rebase_source : 3c2accb71faf3f017a44c405ae0484e57aaf039c
Because of modifications to the DataTransfer constructors, the status of the tests that use DataTransfer objects had to be changed to reflect the fact that those tests now pass. Additionally, a test had to be deleted because it tested an obscure situation using the old Chrome only constructor.
MozReview-Commit-ID: LOWuPwh0NeW
Same approach as the other bug, mostly replacing automatically by removing
'using mozilla::Forward;' and then:
s/mozilla::Forward/std::forward/
s/Forward</std::forward</
The only file that required manual fixup was TestTreeTraversal.cpp, which had
a class called TestNodeForward with template parameters :)
MozReview-Commit-ID: A88qFG5AccP
This was done automatically replacing:
s/mozilla::Move/std::move/
s/ Move(/ std::move(/
s/(Move(/(std::move(/
Removing the 'using mozilla::Move;' lines.
And then with a few manual fixups, see the bug for the split series..
MozReview-Commit-ID: Jxze3adipUh
Some notes: this does not fully bring us to compliance to the current spec.
Instead, these are the fixes that I needed to make in order to make
css/geometry/interfaces.html pass with the DOMPoint changes in the previous
patches. I don't fully understand why that patch caused the test to fail the
way it did, but it ended up being easier to fix our code than understand why
the harness was falling over.
The DOMQuad::QuadBounds class was the source of some confusion for me. Now
that DOMRectReadOnly is a concrete class with members, I wanted to avoid
wasting them. However, the spec is unclear as to whether a DOMQuad's bound's
should be live -- that is because DOMQuad exposes DOMPoint, we can set its
points after retrieving a QuadBounds object. Our current code is live, setting
the points changes the QuadBounds. Chromium's current behavior is to never
update the QuadBounds object. I've left our behavior untouched in this patch
(and waste 4 doubles per QuadBounds object), but I am intending to file a bug
to understand what the intent of the spec is. I wonder if the author intended
the points to be DOMPointReadOnly instead. If so, we could simplify the
DOMRectReadOnly code and get rid of the virtual getters, which would be nice.
I also wasn't thrilled to put the DOMMatrix setters on the DOMMatrixReadOnly
class, but for brevity and simplicity of implementation, I've made them
public. I briefly considered making the setters protected on the ReadOnly
version of the class, but I'm not convinced that having to explicitly make
them public on the derived class is worth the extra copies of the names.
MozReview-Commit-ID: CjdW4Nbnc6A
--HG--
extra : rebase_source : 97e9386cfb17319242913d28117c8b1b8b6fbbbe
Because of modifications to the DataTransfer constructors, the status of the tests that use DataTransfer objects had to be changed to reflect the fact that those tests now pass. Additionally, a test had to be deleted because it tested an obscure situation using the old Chrome only constructor.
MozReview-Commit-ID: LOWuPwh0NeW
--HG--
extra : rebase_source : bdfb4509b54925a27fb3fe7b83cb97ed4ea6d877
We want to have some class names with spaces in them, but everything assumes
that an interface identifier is in fact an identifier (e.g. uses it in C++
identifiers like namespace names).
Compared to the spec, we had the following differences:
* Date was a JSON type in our implementation. It doesn't even exist as a type
in the spec. It stops being a JSON type.
* Annotated types are not supported yet. Nothing changes here.
* Typedef types were not JSON types in our implementation. They become JSON
types if the type it's a typedef for is one.
* Frozen arrays are not supported yet. nothing changes here.
* Records were not JSON types in our implementation. They become JSON types
when the value type is a JSON type.
* Object was not a JSON type in our implementation. It becomes a JSON type.
* Interface types were only JSON types in our implementation if they had a
jsonifier. We change to treating them as JSON types if there is a jsonifier
anywhere on the inheritance chain.
In terms of observable behavior, the following properties now get included by
toJSON methods that didn't use to be included:
PaymentResponse.details
Performance.mozMemory
both because they're of type "object".
Without this, we will start including mozMemory in performance.toJSON() even if
the pref for it is not set, once 'object' becomes a JSON type.
This changes behavior in the following observable ways:
1) We stop exposing PerformanceResourceTiming's .serverTiming in the JSON
serialization in insecure contexts.
2) We stop exposing PerformanceTiming's timeToNonBlankPaint and
timeToDOMContentFlushed in the JSON serialization unless the relevant
preferences are turned on.
This patch enables us to specify a custom element type with |is| attribute
or property when creating a XUL element. Because non-dashed names are valid
custom element names in XUL (bug 1446247), other checks has to modified
accordingly.
The checks I am settling with are
1) Forbids the custom built-in element names to be a non-dashed name.
2) Forbids the custom built-in element to extend a dashed built-in element name.
This also ensures the custom built-in element types don't take on the same
name as the element name it extends.
MozReview-Commit-ID: GCQ9RnfvvrC
--HG--
extra : rebase_source : 2fa13742525d2107580d50872ff5b0fc42539498
extra : source : 2dc5513660d78a4de4801109140743ffc9297f71
I can land the removal behind a pref first if you want and all that instead.
Again, this doesn't remove the internal usage for getComputedStyle (yet).
MozReview-Commit-ID: LA157ohfLhu
This patch changes ServoCSSPropList.py to use classes for properties.
This allows extending the data in the file without needing to update all
users of this file.
Sorting in GenerateCSSPropsGenerated.py is removed because the data file
has the right order already.
MozReview-Commit-ID: D74bItCfpPH
--HG--
extra : rebase_source : e0138c255f77515f491496fcb8680686362f4e9e
By including codegen.pp and having a target for codegen.pp, we were
relying on make to build out-of-date include files and re-exec itself
after they are built. However, make produces an error if the file does
not exist, which is why this include was changed to a -include in bug
1378965. Unfortunately this means that make ignores not only a
non-existent file, but also any errors in regenerating the target from
the webidl py_action.
Instead we can make a separate stub file target for webidl generation,
and include the codegen.pp that's generated as a side-effect of the
py_action. This way make will fail properly if the webidl generation
fails, and there is no error message about a missing codegen.pp on the
first build.
MozReview-Commit-ID: GjB8zDuMfnL
--HG--
extra : rebase_source : 560b3ae3e60986d7eb3bbabbac0acca67a3a4aff
This also removes any redundant Ci.nsISupports elements in the interface
lists.
This was done using the following script:
acecb401b7/processors/chromeutils-generateQI.jsm
MozReview-Commit-ID: AIx10P8GpZY
--HG--
extra : rebase_source : a29c07530586dc18ba040f19215475ac20fcfb3b
Test changes for removal of PopupBoxObject and popup.xml methods, some reflow tests now have different stacks now that they are not going through popup.xml binding methods, test_popupanchor.xul changes due to need to wait for popuppositioned event after resizing. The old code would just adjust the arrow directly when sizeTo was called, but the new code does this through an asynchronous popuppositioned event. Changes to some places that check for XULElement class.
--HG--
rename : dom/webidl/PopupBoxObject.webidl => dom/webidl/XULPopupElement.webidl
rename : layout/xul/PopupBoxObject.cpp => dom/xul/XULPopupElement.cpp
rename : layout/xul/PopupBoxObject.h => dom/xul/XULPopupElement.h
Kris Maglione
Boris Zbarsky
Himanshu Teli
Jan de Mooij
Neil Deakin
Olli Pettay
Brian Hackett
Narcis Beleuzu
Dave Townsend
Anny Gakhokidze
Jeff Gilbert
Brindusan Cristian
Cosmin Sabou
Andrea Marchesini
Csoregi Natalia
Andi-Bogdan Postelnicu
Margareta Eliza Balazs
Andreea Pavel
Emma Malysz
Bogdan Tara
Jean-Yves Avenard
Arnaud Bienner
André Bargull
Andrew Halberstadt
Ben Kelly
Dorel Luca
Xidorn Quan
Nicholas Nethercote
Robin Templeton
Steve Fink
Nazım Can Altınova
Joel Maher
Ciure Andrei
Blake Kaplan
Karl Tomlinson
Emilio Cobos Álvarez
Peter Van der Beken
Markus Stange
Noemi Erli
Timothy Guan-tin Chien
Brian Birtles
Mike Shal
Jeff Walden