diff options
Diffstat (limited to '')
-rw-r--r-- | dom/base/StructuredCloneHolder.cpp | 1583 |
1 files changed, 1583 insertions, 0 deletions
diff --git a/dom/base/StructuredCloneHolder.cpp b/dom/base/StructuredCloneHolder.cpp new file mode 100644 index 0000000000..326e60acaf --- /dev/null +++ b/dom/base/StructuredCloneHolder.cpp @@ -0,0 +1,1583 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "mozilla/dom/StructuredCloneHolder.h" + +#include <new> +#include "ErrorList.h" +#include "MainThreadUtils.h" +#include "js/CallArgs.h" +#include "js/Value.h" +#include "js/WasmModule.h" +#include "js/Wrapper.h" +#include "jsapi.h" +#include "mozilla/AlreadyAddRefed.h" +#include "mozilla/AutoRestore.h" +#include "mozilla/ErrorResult.h" +#include "mozilla/OwningNonNull.h" +#include "mozilla/RefPtr.h" +#include "mozilla/ScopeExit.h" +#include "mozilla/StaticPrefs_dom.h" +#include "mozilla/dom/BindingDeclarations.h" +#include "mozilla/dom/BindingUtils.h" +#include "mozilla/dom/Blob.h" +#include "mozilla/dom/BlobBinding.h" +#include "mozilla/dom/BlobImpl.h" +#include "mozilla/dom/BrowsingContext.h" +#include "mozilla/dom/ClonedErrorHolder.h" +#include "mozilla/dom/ClonedErrorHolderBinding.h" +#include "mozilla/dom/DirectoryBinding.h" +#include "mozilla/dom/DOMJSClass.h" +#include "mozilla/dom/DOMTypes.h" +#include "mozilla/dom/Directory.h" +#include "mozilla/dom/DocGroup.h" +#include "mozilla/dom/File.h" +#include "mozilla/dom/FileList.h" +#include "mozilla/dom/FileListBinding.h" +#include "mozilla/dom/FormData.h" +#include "mozilla/dom/FormDataBinding.h" +#include "mozilla/dom/ImageBitmap.h" +#include "mozilla/dom/ImageBitmapBinding.h" +#include "mozilla/dom/JSExecutionManager.h" +#include "mozilla/dom/MessagePort.h" +#include "mozilla/dom/MessagePortBinding.h" +#include "mozilla/dom/OffscreenCanvas.h" +#include "mozilla/dom/OffscreenCanvasBinding.h" +#include "mozilla/dom/ReadableStream.h" +#include "mozilla/dom/ReadableStreamBinding.h" +#include "mozilla/dom/ScriptSettings.h" +#include "mozilla/dom/StructuredCloneBlob.h" +#include "mozilla/dom/StructuredCloneHolderBinding.h" +#include "mozilla/dom/StructuredCloneTags.h" +#include "mozilla/dom/ToJSValue.h" +#include "mozilla/dom/TransformStream.h" +#include "mozilla/dom/TransformStreamBinding.h" +#include "mozilla/dom/VideoFrame.h" +#include "mozilla/dom/VideoFrameBinding.h" +#include "mozilla/dom/WebIDLSerializable.h" +#include "mozilla/dom/WritableStream.h" +#include "mozilla/dom/WritableStreamBinding.h" +#include "mozilla/dom/WorkerCommon.h" +#include "mozilla/dom/WorkerPrivate.h" +#include "mozilla/fallible.h" +#include "mozilla/gfx/2D.h" +#include "nsContentUtils.h" +#include "nsDebug.h" +#include "nsError.h" +#include "nsID.h" +#include "nsIEventTarget.h" +#include "nsIFile.h" +#include "nsIGlobalObject.h" +#include "nsIInputStream.h" +#include "nsIPrincipal.h" +#include "nsISupports.h" +#include "nsJSPrincipals.h" +#include "nsPIDOMWindow.h" +#include "nsString.h" +#include "nsThreadUtils.h" +#include "nsXPCOM.h" +#include "xpcpublic.h" + +using namespace mozilla::ipc; + +namespace mozilla::dom { + +namespace { + +JSObject* StructuredCloneCallbacksRead( + JSContext* aCx, JSStructuredCloneReader* aReader, + const JS::CloneDataPolicy& aCloneDataPolicy, uint32_t aTag, uint32_t aIndex, + void* aClosure) { + StructuredCloneHolderBase* holder = + static_cast<StructuredCloneHolderBase*>(aClosure); + MOZ_ASSERT(holder); + return holder->CustomReadHandler(aCx, aReader, aCloneDataPolicy, aTag, + aIndex); +} + +bool StructuredCloneCallbacksWrite(JSContext* aCx, + JSStructuredCloneWriter* aWriter, + JS::Handle<JSObject*> aObj, + bool* aSameProcessScopeRequired, + void* aClosure) { + StructuredCloneHolderBase* holder = + static_cast<StructuredCloneHolderBase*>(aClosure); + MOZ_ASSERT(holder); + return holder->CustomWriteHandler(aCx, aWriter, aObj, + aSameProcessScopeRequired); +} + +bool StructuredCloneCallbacksReadTransfer( + JSContext* aCx, JSStructuredCloneReader* aReader, uint32_t aTag, + void* aContent, uint64_t aExtraData, void* aClosure, + JS::MutableHandle<JSObject*> aReturnObject) { + StructuredCloneHolderBase* holder = + static_cast<StructuredCloneHolderBase*>(aClosure); + MOZ_ASSERT(holder); + return holder->CustomReadTransferHandler(aCx, aReader, aTag, aContent, + aExtraData, aReturnObject); +} + +bool StructuredCloneCallbacksWriteTransfer( + JSContext* aCx, JS::Handle<JSObject*> aObj, void* aClosure, + // Output: + uint32_t* aTag, JS::TransferableOwnership* aOwnership, void** aContent, + uint64_t* aExtraData) { + StructuredCloneHolderBase* holder = + static_cast<StructuredCloneHolderBase*>(aClosure); + MOZ_ASSERT(holder); + return holder->CustomWriteTransferHandler(aCx, aObj, aTag, aOwnership, + aContent, aExtraData); +} + +void StructuredCloneCallbacksFreeTransfer(uint32_t aTag, + JS::TransferableOwnership aOwnership, + void* aContent, uint64_t aExtraData, + void* aClosure) { + StructuredCloneHolderBase* holder = + static_cast<StructuredCloneHolderBase*>(aClosure); + MOZ_ASSERT(holder); + return holder->CustomFreeTransferHandler(aTag, aOwnership, aContent, + aExtraData); +} + +bool StructuredCloneCallbacksCanTransfer(JSContext* aCx, + JS::Handle<JSObject*> aObject, + bool* aSameProcessScopeRequired, + void* aClosure) { + StructuredCloneHolderBase* holder = + static_cast<StructuredCloneHolderBase*>(aClosure); + MOZ_ASSERT(holder); + return holder->CustomCanTransferHandler(aCx, aObject, + aSameProcessScopeRequired); +} + +bool StructuredCloneCallbacksSharedArrayBuffer(JSContext* cx, bool aReceiving, + void* aClosure) { + if (!StaticPrefs::dom_workers_serialized_sab_access()) { + return true; + } + + WorkerPrivate* workerPrivate = GetCurrentThreadWorkerPrivate(); + + if (workerPrivate) { + workerPrivate->SetExecutionManager( + JSExecutionManager::GetSABSerializationManager()); + } else if (NS_IsMainThread()) { + nsIGlobalObject* global = GetCurrentGlobal(); + + nsPIDOMWindowInner* innerWindow = nullptr; + if (global) { + innerWindow = global->AsInnerWindow(); + } + + DocGroup* docGroup = nullptr; + if (innerWindow) { + docGroup = innerWindow->GetDocGroup(); + } + + if (docGroup) { + docGroup->SetExecutionManager( + JSExecutionManager::GetSABSerializationManager()); + } + } + return true; +} + +void StructuredCloneCallbacksError(JSContext* aCx, uint32_t aErrorId, + void* aClosure, const char* aErrorMessage) { + NS_WARNING("Failed to clone data."); + StructuredCloneHolderBase* holder = + static_cast<StructuredCloneHolderBase*>(aClosure); + MOZ_ASSERT(holder); + return holder->SetErrorMessage(aErrorMessage); +} + +void AssertTagValues() { + static_assert(SCTAG_DOM_IMAGEDATA == 0xffff8007 && + SCTAG_DOM_DOMPOINT == 0xffff8008 && + SCTAG_DOM_DOMPOINTREADONLY == 0xffff8009 && + SCTAG_DOM_CRYPTOKEY == 0xffff800a && + SCTAG_DOM_NULL_PRINCIPAL == 0xffff800b && + SCTAG_DOM_SYSTEM_PRINCIPAL == 0xffff800c && + SCTAG_DOM_CONTENT_PRINCIPAL == 0xffff800d && + SCTAG_DOM_DOMQUAD == 0xffff800e && + SCTAG_DOM_RTCCERTIFICATE == 0xffff800f && + SCTAG_DOM_DOMRECT == 0xffff8010 && + SCTAG_DOM_DOMRECTREADONLY == 0xffff8011 && + SCTAG_DOM_EXPANDED_PRINCIPAL == 0xffff8012 && + SCTAG_DOM_DOMMATRIX == 0xffff8013 && + SCTAG_DOM_URLSEARCHPARAMS == 0xffff8014 && + SCTAG_DOM_DOMMATRIXREADONLY == 0xffff8015 && + SCTAG_DOM_STRUCTUREDCLONETESTER == 0xffff8018 && + SCTAG_DOM_FILESYSTEMHANDLE == 0xffff8019 && + SCTAG_DOM_FILESYSTEMFILEHANDLE == 0xffff801a && + SCTAG_DOM_FILESYSTEMDIRECTORYHANDLE == 0xffff801b, + "Something has changed the sctag values. This is wrong!"); +} + +} // anonymous namespace + +const JSStructuredCloneCallbacks StructuredCloneHolder::sCallbacks = { + StructuredCloneCallbacksRead, + StructuredCloneCallbacksWrite, + StructuredCloneCallbacksError, + StructuredCloneCallbacksReadTransfer, + StructuredCloneCallbacksWriteTransfer, + StructuredCloneCallbacksFreeTransfer, + StructuredCloneCallbacksCanTransfer, + StructuredCloneCallbacksSharedArrayBuffer, +}; + +// StructuredCloneHolderBase class + +StructuredCloneHolderBase::StructuredCloneHolderBase( + StructuredCloneScope aScope) + : mStructuredCloneScope(aScope) +#ifdef DEBUG + , + mClearCalled(false) +#endif +{ +} + +StructuredCloneHolderBase::~StructuredCloneHolderBase() { +#ifdef DEBUG + MOZ_ASSERT(mClearCalled); +#endif +} + +void StructuredCloneHolderBase::Clear() { +#ifdef DEBUG + mClearCalled = true; +#endif + + mBuffer = nullptr; +} + +bool StructuredCloneHolderBase::Write(JSContext* aCx, + JS::Handle<JS::Value> aValue) { + return Write(aCx, aValue, JS::UndefinedHandleValue, JS::CloneDataPolicy()); +} + +bool StructuredCloneHolderBase::Write( + JSContext* aCx, JS::Handle<JS::Value> aValue, + JS::Handle<JS::Value> aTransfer, + const JS::CloneDataPolicy& aCloneDataPolicy) { + MOZ_ASSERT(!mBuffer, "Double Write is not allowed"); + MOZ_ASSERT(!mClearCalled, "This method cannot be called after Clear."); + + mBuffer = MakeUnique<JSAutoStructuredCloneBuffer>( + mStructuredCloneScope, &StructuredCloneHolder::sCallbacks, this); + + if (!mBuffer->write(aCx, aValue, aTransfer, aCloneDataPolicy, + &StructuredCloneHolder::sCallbacks, this)) { + mBuffer = nullptr; + return false; + } + + // Let's update our scope to the final one. The new one could be more + // restrictive of the current one. + MOZ_ASSERT(mStructuredCloneScope >= mBuffer->scope()); + mStructuredCloneScope = mBuffer->scope(); + return true; +} + +bool StructuredCloneHolderBase::Read(JSContext* aCx, + JS::MutableHandle<JS::Value> aValue) { + return Read(aCx, aValue, JS::CloneDataPolicy()); +} + +bool StructuredCloneHolderBase::Read( + JSContext* aCx, JS::MutableHandle<JS::Value> aValue, + const JS::CloneDataPolicy& aCloneDataPolicy) { + MOZ_ASSERT(mBuffer, "Read() without Write() is not allowed."); + MOZ_ASSERT(!mClearCalled, "This method cannot be called after Clear."); + + bool ok = mBuffer->read(aCx, aValue, aCloneDataPolicy, + &StructuredCloneHolder::sCallbacks, this); + return ok; +} + +bool StructuredCloneHolderBase::CustomReadTransferHandler( + JSContext* aCx, JSStructuredCloneReader* aReader, uint32_t aTag, + void* aContent, uint64_t aExtraData, + JS::MutableHandle<JSObject*> aReturnObject) { + MOZ_CRASH("Nothing to read."); + return false; +} + +bool StructuredCloneHolderBase::CustomWriteTransferHandler( + JSContext* aCx, JS::Handle<JSObject*> aObj, uint32_t* aTag, + JS::TransferableOwnership* aOwnership, void** aContent, + uint64_t* aExtraData) { + // No transfers are supported by default. + return false; +} + +void StructuredCloneHolderBase::CustomFreeTransferHandler( + uint32_t aTag, JS::TransferableOwnership aOwnership, void* aContent, + uint64_t aExtraData) { + MOZ_CRASH("Nothing to free."); +} + +bool StructuredCloneHolderBase::CustomCanTransferHandler( + JSContext* aCx, JS::Handle<JSObject*> aObj, + bool* aSameProcessScopeRequired) { + return false; +} + +// StructuredCloneHolder class + +StructuredCloneHolder::StructuredCloneHolder( + CloningSupport aSupportsCloning, TransferringSupport aSupportsTransferring, + StructuredCloneScope aScope) + : StructuredCloneHolderBase(aScope), + mSupportsCloning(aSupportsCloning == CloningSupported), + mSupportsTransferring(aSupportsTransferring == TransferringSupported), + mGlobal(nullptr) +#ifdef DEBUG + , + mCreationEventTarget(GetCurrentEventTarget()) +#endif +{ +} + +StructuredCloneHolder::~StructuredCloneHolder() { + Clear(); + MOZ_ASSERT(mTransferredPorts.IsEmpty()); +} + +void StructuredCloneHolder::Write(JSContext* aCx, JS::Handle<JS::Value> aValue, + ErrorResult& aRv) { + Write(aCx, aValue, JS::UndefinedHandleValue, JS::CloneDataPolicy(), aRv); +} + +void StructuredCloneHolder::Write(JSContext* aCx, JS::Handle<JS::Value> aValue, + JS::Handle<JS::Value> aTransfer, + const JS::CloneDataPolicy& aCloneDataPolicy, + ErrorResult& aRv) { + if (!StructuredCloneHolderBase::Write(aCx, aValue, aTransfer, + aCloneDataPolicy)) { + aRv.ThrowDataCloneError(mErrorMessage); + return; + } +} + +void StructuredCloneHolder::Read(nsIGlobalObject* aGlobal, JSContext* aCx, + JS::MutableHandle<JS::Value> aValue, + ErrorResult& aRv) { + return Read(aGlobal, aCx, aValue, JS::CloneDataPolicy(), aRv); +} + +void StructuredCloneHolder::Read(nsIGlobalObject* aGlobal, JSContext* aCx, + JS::MutableHandle<JS::Value> aValue, + const JS::CloneDataPolicy& aCloneDataPolicy, + ErrorResult& aRv) { + MOZ_ASSERT(aGlobal); + + mozilla::AutoRestore<nsIGlobalObject*> guard(mGlobal); + auto errorMessageGuard = MakeScopeExit([&] { mErrorMessage.Truncate(); }); + mGlobal = aGlobal; + + if (!StructuredCloneHolderBase::Read(aCx, aValue, aCloneDataPolicy)) { + JS_ClearPendingException(aCx); + aRv.ThrowDataCloneError(mErrorMessage); + return; + } + + // If we are tranferring something, we cannot call 'Read()' more than once. + if (mSupportsTransferring) { + mBlobImplArray.Clear(); + mWasmModuleArray.Clear(); + mClonedSurfaces.Clear(); + mInputStreamArray.Clear(); + mVideoFrameImages.Clear(); + Clear(); + } +} + +void StructuredCloneHolder::ReadFromBuffer( + nsIGlobalObject* aGlobal, JSContext* aCx, JSStructuredCloneData& aBuffer, + JS::MutableHandle<JS::Value> aValue, + const JS::CloneDataPolicy& aCloneDataPolicy, ErrorResult& aRv) { + ReadFromBuffer(aGlobal, aCx, aBuffer, JS_STRUCTURED_CLONE_VERSION, aValue, + aCloneDataPolicy, aRv); +} + +void StructuredCloneHolder::ReadFromBuffer( + nsIGlobalObject* aGlobal, JSContext* aCx, JSStructuredCloneData& aBuffer, + uint32_t aAlgorithmVersion, JS::MutableHandle<JS::Value> aValue, + const JS::CloneDataPolicy& aCloneDataPolicy, ErrorResult& aRv) { + MOZ_ASSERT(!mBuffer, "ReadFromBuffer() must be called without a Write()."); + + mozilla::AutoRestore<nsIGlobalObject*> guard(mGlobal); + auto errorMessageGuard = MakeScopeExit([&] { mErrorMessage.Truncate(); }); + mGlobal = aGlobal; + + if (!JS_ReadStructuredClone(aCx, aBuffer, aAlgorithmVersion, CloneScope(), + aValue, aCloneDataPolicy, &sCallbacks, this)) { + JS_ClearPendingException(aCx); + aRv.ThrowDataCloneError(mErrorMessage); + return; + } +} + +/* static */ +JSObject* StructuredCloneHolder::ReadFullySerializableObjects( + JSContext* aCx, JSStructuredCloneReader* aReader, uint32_t aTag) { + AssertTagValues(); + + nsIGlobalObject* global = xpc::CurrentNativeGlobal(aCx); + if (!global) { + return nullptr; + } + + WebIDLDeserializer deserializer = + LookupDeserializer(StructuredCloneTags(aTag)); + if (deserializer) { + return deserializer(aCx, global, aReader); + } + + if (aTag == SCTAG_DOM_NULL_PRINCIPAL || aTag == SCTAG_DOM_SYSTEM_PRINCIPAL || + aTag == SCTAG_DOM_CONTENT_PRINCIPAL || + aTag == SCTAG_DOM_EXPANDED_PRINCIPAL) { + JSPrincipals* prin; + if (!nsJSPrincipals::ReadKnownPrincipalType(aCx, aReader, aTag, &prin)) { + return nullptr; + } + + JS::Rooted<JS::Value> result(aCx); + { + // nsJSPrincipals::ReadKnownPrincipalType addrefs for us, but because of + // the casting between JSPrincipals* and nsIPrincipal* we can't use + // getter_AddRefs above and have to already_AddRefed here. + nsCOMPtr<nsIPrincipal> principal = + already_AddRefed<nsIPrincipal>(nsJSPrincipals::get(prin)); + + nsresult rv = nsContentUtils::WrapNative( + aCx, principal, &NS_GET_IID(nsIPrincipal), &result); + if (NS_FAILED(rv)) { + xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR); + return nullptr; + } + } + return result.toObjectOrNull(); + } + + // Don't know what this is. Bail. + xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR); + return nullptr; +} + +/* static */ +bool StructuredCloneHolder::WriteFullySerializableObjects( + JSContext* aCx, JSStructuredCloneWriter* aWriter, + JS::Handle<JSObject*> aObj) { + AssertTagValues(); + + // Window and Location are not serializable, so it's OK to just do a static + // unwrap here. + JS::Rooted<JSObject*> obj(aCx, js::CheckedUnwrapStatic(aObj)); + if (!obj) { + return xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR); + } + + const DOMJSClass* domClass = GetDOMClass(obj); + if (domClass && domClass->mSerializer) { + return domClass->mSerializer(aCx, aWriter, obj); + } + + if (NS_IsMainThread() && xpc::IsReflector(obj, aCx)) { + // We only care about principals, so ReflectorToISupportsStatic is fine. + nsCOMPtr<nsISupports> base = xpc::ReflectorToISupportsStatic(obj); + nsCOMPtr<nsIPrincipal> principal = do_QueryInterface(base); + if (principal) { + auto nsjsprincipals = nsJSPrincipals::get(principal); + return nsjsprincipals->write(aCx, aWriter); + } + } + + // Don't know what this is + ErrorResult rv; + const char* className = JS::GetClass(obj)->name; + rv.ThrowDataCloneError(nsDependentCString(className) + + " object could not be cloned."_ns); + MOZ_ALWAYS_TRUE(rv.MaybeSetPendingException(aCx)); + return false; +} + +/* static */ +bool StructuredCloneHolder::ReadString(JSStructuredCloneReader* aReader, + nsString& aString) { + uint32_t length, zero; + if (!JS_ReadUint32Pair(aReader, &length, &zero)) { + return false; + } + + if (NS_WARN_IF(!aString.SetLength(length, fallible))) { + return false; + } + size_t charSize = sizeof(nsString::char_type); + return JS_ReadBytes(aReader, (void*)aString.BeginWriting(), + length * charSize); +} + +/* static */ +bool StructuredCloneHolder::WriteString(JSStructuredCloneWriter* aWriter, + const nsAString& aString) { + size_t charSize = sizeof(nsString::char_type); + return JS_WriteUint32Pair(aWriter, aString.Length(), 0) && + JS_WriteBytes(aWriter, aString.BeginReading(), + aString.Length() * charSize); +} + +namespace { + +JSObject* ReadBlob(JSContext* aCx, uint32_t aIndex, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aHolder); +#ifdef FUZZING + if (aIndex >= aHolder->BlobImpls().Length()) { + return nullptr; + } +#endif + MOZ_ASSERT(aIndex < aHolder->BlobImpls().Length()); + JS::Rooted<JS::Value> val(aCx); + { + // RefPtr<File> and RefPtr<BlobImpl> need to go out of scope before + // toObject() is called because the static analysis thinks releasing XPCOM + // objects can GC (because in some cases it can!), and a return statement + // with a JSObject* type means that JSObject* is on the stack as a raw + // pointer while destructors are running. + RefPtr<BlobImpl> blobImpl = aHolder->BlobImpls()[aIndex]; + + RefPtr<Blob> blob = Blob::Create(aHolder->GlobalDuringRead(), blobImpl); + if (NS_WARN_IF(!blob)) { + return nullptr; + } + + if (!ToJSValue(aCx, blob, &val)) { + return nullptr; + } + } + + return &val.toObject(); +} + +bool WriteBlob(JSStructuredCloneWriter* aWriter, Blob* aBlob, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aWriter); + MOZ_ASSERT(aBlob); + MOZ_ASSERT(aHolder); + + RefPtr<BlobImpl> blobImpl = aBlob->Impl(); + + // We store the position of the blobImpl in the array as index. + if (JS_WriteUint32Pair(aWriter, SCTAG_DOM_BLOB, + aHolder->BlobImpls().Length())) { + aHolder->BlobImpls().AppendElement(blobImpl); + return true; + } + + return false; +} + +// A directory is serialized as: +// - pair of ints: SCTAG_DOM_DIRECTORY, path length +// - path as string +bool WriteDirectory(JSStructuredCloneWriter* aWriter, Directory* aDirectory) { + MOZ_ASSERT(aWriter); + MOZ_ASSERT(aDirectory); + + nsAutoString path; + aDirectory->GetFullRealPath(path); + + size_t charSize = sizeof(nsString::char_type); + return JS_WriteUint32Pair(aWriter, SCTAG_DOM_DIRECTORY, path.Length()) && + JS_WriteBytes(aWriter, path.get(), path.Length() * charSize); +} + +already_AddRefed<Directory> ReadDirectoryInternal( + JSStructuredCloneReader* aReader, uint32_t aPathLength, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aReader); + MOZ_ASSERT(aHolder); + + nsAutoString path; + if (NS_WARN_IF(!path.SetLength(aPathLength, fallible))) { + return nullptr; + } + size_t charSize = sizeof(nsString::char_type); + if (!JS_ReadBytes(aReader, (void*)path.BeginWriting(), + aPathLength * charSize)) { + return nullptr; + } + + nsCOMPtr<nsIFile> file; + nsresult rv = NS_NewLocalFile(path, true, getter_AddRefs(file)); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nullptr; + } + + RefPtr<Directory> directory = + Directory::Create(aHolder->GlobalDuringRead(), file); + return directory.forget(); +} + +JSObject* ReadDirectory(JSContext* aCx, JSStructuredCloneReader* aReader, + uint32_t aPathLength, StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aCx); + MOZ_ASSERT(aReader); + MOZ_ASSERT(aHolder); + + // RefPtr<Directory> needs to go out of scope before toObject() is + // called because the static analysis thinks dereferencing XPCOM objects + // can GC (because in some cases it can!), and a return statement with a + // JSObject* type means that JSObject* is on the stack as a raw pointer + // while destructors are running. + JS::Rooted<JS::Value> val(aCx); + { + RefPtr<Directory> directory = + ReadDirectoryInternal(aReader, aPathLength, aHolder); + if (!directory) { + return nullptr; + } + + if (!ToJSValue(aCx, directory, &val)) { + return nullptr; + } + } + + return &val.toObject(); +} + +// Read the WriteFileList for the format. +JSObject* ReadFileList(JSContext* aCx, JSStructuredCloneReader* aReader, + uint32_t aCount, StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aCx); + MOZ_ASSERT(aReader); + + JS::Rooted<JS::Value> val(aCx); + { + RefPtr<FileList> fileList = new FileList(aHolder->GlobalDuringRead()); + + uint32_t zero, index; + // |index| is the index of the first blobImpl. + if (!JS_ReadUint32Pair(aReader, &zero, &index) || zero != 0) { + return nullptr; + } + + // |aCount| is the number of BlobImpls to use from the |index|. + for (uint32_t i = 0; i < aCount; ++i) { + uint32_t pos = index + i; +#ifdef FUZZING + if (pos >= aHolder->BlobImpls().Length()) { + return nullptr; + } +#endif + MOZ_ASSERT(pos < aHolder->BlobImpls().Length()); + + RefPtr<BlobImpl> blobImpl = aHolder->BlobImpls()[pos]; + MOZ_ASSERT(blobImpl->IsFile()); + + RefPtr<File> file = File::Create(aHolder->GlobalDuringRead(), blobImpl); + if (NS_WARN_IF(!file)) { + return nullptr; + } + + if (!fileList->Append(file)) { + return nullptr; + } + } + + if (!ToJSValue(aCx, fileList, &val)) { + return nullptr; + } + } + + return &val.toObject(); +} + +// The format of the FileList serialization is: +// - pair of ints: SCTAG_DOM_FILELIST, Length of the FileList +// - pair of ints: 0, The offset of the BlobImpl array +bool WriteFileList(JSStructuredCloneWriter* aWriter, FileList* aFileList, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aWriter); + MOZ_ASSERT(aFileList); + MOZ_ASSERT(aHolder); + + // A FileList is serialized writing the X number of elements and the offset + // from mBlobImplArray. The Read will take X elements from mBlobImplArray + // starting from the offset. + if (!JS_WriteUint32Pair(aWriter, SCTAG_DOM_FILELIST, aFileList->Length()) || + !JS_WriteUint32Pair(aWriter, 0, aHolder->BlobImpls().Length())) { + return false; + } + + nsTArray<RefPtr<BlobImpl>> blobImpls; + + for (uint32_t i = 0; i < aFileList->Length(); ++i) { + RefPtr<BlobImpl> blobImpl = aFileList->Item(i)->Impl(); + blobImpls.AppendElement(blobImpl); + } + + aHolder->BlobImpls().AppendElements(blobImpls); + return true; +} + +// Read the WriteFormData for the format. +JSObject* ReadFormData(JSContext* aCx, JSStructuredCloneReader* aReader, + uint32_t aCount, StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aCx); + MOZ_ASSERT(aReader); + MOZ_ASSERT(aHolder); + + // See the serialization of the FormData for the format. + JS::Rooted<JS::Value> val(aCx); + { + RefPtr<FormData> formData = new FormData(aHolder->GlobalDuringRead()); + + Optional<nsAString> thirdArg; + for (uint32_t i = 0; i < aCount; ++i) { + nsAutoString name; + if (!StructuredCloneHolder::ReadString(aReader, name)) { + return nullptr; + } + + uint32_t tag, indexOrLengthOfString; + if (!JS_ReadUint32Pair(aReader, &tag, &indexOrLengthOfString)) { + return nullptr; + } + + if (tag == SCTAG_DOM_BLOB) { +#ifdef FUZZING + if (indexOrLengthOfString >= aHolder->BlobImpls().Length()) { + return nullptr; + } +#endif + MOZ_ASSERT(indexOrLengthOfString < aHolder->BlobImpls().Length()); + + RefPtr<BlobImpl> blobImpl = aHolder->BlobImpls()[indexOrLengthOfString]; + + RefPtr<Blob> blob = Blob::Create(aHolder->GlobalDuringRead(), blobImpl); + if (NS_WARN_IF(!blob)) { + return nullptr; + } + + ErrorResult rv; + formData->Append(name, *blob, thirdArg, rv); + if (NS_WARN_IF(rv.Failed())) { + rv.SuppressException(); + return nullptr; + } + + } else if (tag == SCTAG_DOM_DIRECTORY) { + RefPtr<Directory> directory = + ReadDirectoryInternal(aReader, indexOrLengthOfString, aHolder); + if (!directory) { + return nullptr; + } + + formData->Append(name, directory); + + } else { + if (NS_WARN_IF(tag != 0)) { + return nullptr; + } + + nsAutoString value; + if (NS_WARN_IF(!value.SetLength(indexOrLengthOfString, fallible))) { + return nullptr; + } + size_t charSize = sizeof(nsString::char_type); + if (!JS_ReadBytes(aReader, (void*)value.BeginWriting(), + indexOrLengthOfString * charSize)) { + return nullptr; + } + + ErrorResult rv; + formData->Append(name, value, rv); + if (NS_WARN_IF(rv.Failed())) { + rv.SuppressException(); + return nullptr; + } + } + } + + if (!ToJSValue(aCx, formData, &val)) { + return nullptr; + } + } + + return &val.toObject(); +} + +// The format of the FormData serialization is: +// - pair of ints: SCTAG_DOM_FORMDATA, Length of the FormData elements +// - for each Element element: +// - name string +// - if it's a blob: +// - pair of ints: SCTAG_DOM_BLOB, index of the BlobImpl in the array +// mBlobImplArray. +// - if it's a directory (See WriteDirectory): +// - pair of ints: SCTAG_DOM_DIRECTORY, path length +// - path as string +// - else: +// - pair of ints: 0, string length +// - value string +bool WriteFormData(JSStructuredCloneWriter* aWriter, FormData* aFormData, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aWriter); + MOZ_ASSERT(aFormData); + MOZ_ASSERT(aHolder); + + if (!JS_WriteUint32Pair(aWriter, SCTAG_DOM_FORMDATA, aFormData->Length())) { + return false; + } + + class MOZ_STACK_CLASS Closure final { + JSStructuredCloneWriter* mWriter; + StructuredCloneHolder* mHolder; + + public: + Closure(JSStructuredCloneWriter* aWriter, StructuredCloneHolder* aHolder) + : mWriter(aWriter), mHolder(aHolder) {} + + static bool Write(const nsString& aName, + const OwningBlobOrDirectoryOrUSVString& aValue, + void* aClosure) { + Closure* closure = static_cast<Closure*>(aClosure); + if (!StructuredCloneHolder::WriteString(closure->mWriter, aName)) { + return false; + } + + if (aValue.IsBlob()) { + if (!JS_WriteUint32Pair(closure->mWriter, SCTAG_DOM_BLOB, + closure->mHolder->BlobImpls().Length())) { + return false; + } + + RefPtr<BlobImpl> blobImpl = aValue.GetAsBlob()->Impl(); + + closure->mHolder->BlobImpls().AppendElement(blobImpl); + return true; + } + + if (aValue.IsDirectory()) { + Directory* directory = aValue.GetAsDirectory(); + return WriteDirectory(closure->mWriter, directory); + } + + size_t charSize = sizeof(nsString::char_type); + if (!JS_WriteUint32Pair(closure->mWriter, 0, + aValue.GetAsUSVString().Length()) || + !JS_WriteBytes(closure->mWriter, aValue.GetAsUSVString().get(), + aValue.GetAsUSVString().Length() * charSize)) { + return false; + } + + return true; + } + }; + Closure closure(aWriter, aHolder); + return aFormData->ForEach(Closure::Write, &closure); +} + +JSObject* ReadWasmModule(JSContext* aCx, uint32_t aIndex, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aHolder); + MOZ_ASSERT(aHolder->CloneScope() == + StructuredCloneHolder::StructuredCloneScope::SameProcess); +#ifdef FUZZING + if (aIndex >= aHolder->WasmModules().Length()) { + return nullptr; + } +#endif + MOZ_ASSERT(aIndex < aHolder->WasmModules().Length()); + + return aHolder->WasmModules()[aIndex]->createObject(aCx); +} + +bool WriteWasmModule(JSStructuredCloneWriter* aWriter, + JS::WasmModule* aWasmModule, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aWriter); + MOZ_ASSERT(aWasmModule); + MOZ_ASSERT(aHolder); + MOZ_ASSERT(aHolder->CloneScope() == + StructuredCloneHolder::StructuredCloneScope::SameProcess); + + // We store the position of the wasmModule in the array as index. + if (JS_WriteUint32Pair(aWriter, SCTAG_DOM_WASM_MODULE, + aHolder->WasmModules().Length())) { + aHolder->WasmModules().AppendElement(aWasmModule); + return true; + } + + return false; +} + +JSObject* ReadInputStream(JSContext* aCx, uint32_t aIndex, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aHolder); +#ifdef FUZZING + if (aIndex >= aHolder->InputStreams().Length()) { + return nullptr; + } +#endif + MOZ_ASSERT(aIndex < aHolder->InputStreams().Length()); + JS::Rooted<JS::Value> result(aCx); + { + nsCOMPtr<nsIInputStream> inputStream = aHolder->InputStreams()[aIndex]; + + nsresult rv = nsContentUtils::WrapNative( + aCx, inputStream, &NS_GET_IID(nsIInputStream), &result); + if (NS_FAILED(rv)) { + return nullptr; + } + } + + return &result.toObject(); +} + +bool WriteInputStream(JSStructuredCloneWriter* aWriter, + nsIInputStream* aInputStream, + StructuredCloneHolder* aHolder) { + MOZ_ASSERT(aWriter); + MOZ_ASSERT(aInputStream); + MOZ_ASSERT(aHolder); + + // We store the position of the inputStream in the array as index. + if (JS_WriteUint32Pair(aWriter, SCTAG_DOM_INPUTSTREAM, + aHolder->InputStreams().Length())) { + aHolder->InputStreams().AppendElement(aInputStream); + return true; + } + + return false; +} + +} // anonymous namespace + +JSObject* StructuredCloneHolder::CustomReadHandler( + JSContext* aCx, JSStructuredCloneReader* aReader, + const JS::CloneDataPolicy& aCloneDataPolicy, uint32_t aTag, + uint32_t aIndex) { + MOZ_ASSERT(mSupportsCloning); + + if (aTag == SCTAG_DOM_BLOB) { + return ReadBlob(aCx, aIndex, this); + } + + if (aTag == SCTAG_DOM_DIRECTORY) { + return ReadDirectory(aCx, aReader, aIndex, this); + } + + if (aTag == SCTAG_DOM_FILELIST) { + return ReadFileList(aCx, aReader, aIndex, this); + } + + if (aTag == SCTAG_DOM_FORMDATA) { + return ReadFormData(aCx, aReader, aIndex, this); + } + + if (aTag == SCTAG_DOM_IMAGEBITMAP && + CloneScope() == StructuredCloneScope::SameProcess) { + // Get the current global object. + // This can be null. + JS::Rooted<JSObject*> result(aCx); + { + // aIndex is the index of the cloned image. + result = ImageBitmap::ReadStructuredClone(aCx, aReader, mGlobal, + GetSurfaces(), aIndex); + } + return result; + } + + if (aTag == SCTAG_DOM_STRUCTURED_CLONE_HOLDER) { + return StructuredCloneBlob::ReadStructuredClone(aCx, aReader, this); + } + + if (aTag == SCTAG_DOM_WASM_MODULE && + CloneScope() == StructuredCloneScope::SameProcess && + aCloneDataPolicy.areIntraClusterClonableSharedObjectsAllowed()) { + return ReadWasmModule(aCx, aIndex, this); + } + + if (aTag == SCTAG_DOM_INPUTSTREAM) { + return ReadInputStream(aCx, aIndex, this); + } + + if (aTag == SCTAG_DOM_BROWSING_CONTEXT) { + return BrowsingContext::ReadStructuredClone(aCx, aReader, this); + } + + if (aTag == SCTAG_DOM_CLONED_ERROR_OBJECT) { + return ClonedErrorHolder::ReadStructuredClone(aCx, aReader, this); + } + + if (StaticPrefs::dom_media_webcodecs_enabled() && + aTag == SCTAG_DOM_VIDEOFRAME && + CloneScope() == StructuredCloneScope::SameProcess) { + return VideoFrame::ReadStructuredClone(aCx, mGlobal, aReader, + VideoFrameImages()[aIndex]); + } + + return ReadFullySerializableObjects(aCx, aReader, aTag); +} + +bool StructuredCloneHolder::CustomWriteHandler( + JSContext* aCx, JSStructuredCloneWriter* aWriter, + JS::Handle<JSObject*> aObj, bool* aSameProcessScopeRequired) { + if (!mSupportsCloning) { + return false; + } + + JS::Rooted<JSObject*> obj(aCx, aObj); + + // See if this is a File/Blob object. + { + Blob* blob = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(Blob, &obj, blob))) { + return WriteBlob(aWriter, blob, this); + } + } + + // See if this is a Directory object. + { + Directory* directory = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(Directory, &obj, directory))) { + return WriteDirectory(aWriter, directory); + } + } + + // See if this is a FileList object. + { + FileList* fileList = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(FileList, &obj, fileList))) { + return WriteFileList(aWriter, fileList, this); + } + } + + // See if this is a FormData object. + { + FormData* formData = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(FormData, &obj, formData))) { + return WriteFormData(aWriter, formData, this); + } + } + + // See if this is an ImageBitmap object. + { + ImageBitmap* imageBitmap = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(ImageBitmap, &obj, imageBitmap))) { + SameProcessScopeRequired(aSameProcessScopeRequired); + + if (CloneScope() == StructuredCloneScope::SameProcess) { + ErrorResult rv; + ImageBitmap::WriteStructuredClone(aWriter, GetSurfaces(), imageBitmap, + rv); + return !rv.MaybeSetPendingException(aCx); + } + return false; + } + } + + // See if this is a StructuredCloneBlob object. + { + StructuredCloneBlob* holder = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(StructuredCloneHolder, &obj, holder))) { + return holder->WriteStructuredClone(aCx, aWriter, this); + } + } + + // See if this is a BrowsingContext object. + { + BrowsingContext* holder = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(BrowsingContext, &obj, holder))) { + return holder->WriteStructuredClone(aCx, aWriter, this); + } + } + + // See if this is a ClonedErrorHolder object. + { + ClonedErrorHolder* holder = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(ClonedErrorHolder, &obj, holder))) { + return holder->WriteStructuredClone(aCx, aWriter, this); + } + } + + // See if this is a WasmModule. + if (JS::IsWasmModuleObject(obj)) { + SameProcessScopeRequired(aSameProcessScopeRequired); + if (CloneScope() == StructuredCloneScope::SameProcess) { + RefPtr<JS::WasmModule> module = JS::GetWasmModule(obj); + MOZ_ASSERT(module); + + return WriteWasmModule(aWriter, module, this); + } + return false; + } + + // See if this is a VideoFrame object. + if (StaticPrefs::dom_media_webcodecs_enabled()) { + VideoFrame* videoFrame = nullptr; + if (NS_SUCCEEDED(UNWRAP_OBJECT(VideoFrame, &obj, videoFrame))) { + SameProcessScopeRequired(aSameProcessScopeRequired); + return CloneScope() == StructuredCloneScope::SameProcess + ? videoFrame->WriteStructuredClone(aWriter, this) + : false; + } + } + + { + // We only care about streams, so ReflectorToISupportsStatic is fine. + nsCOMPtr<nsISupports> base = xpc::ReflectorToISupportsStatic(aObj); + nsCOMPtr<nsIInputStream> inputStream = do_QueryInterface(base); + if (inputStream) { + return WriteInputStream(aWriter, inputStream, this); + } + } + + return WriteFullySerializableObjects(aCx, aWriter, aObj); +} + +already_AddRefed<MessagePort> StructuredCloneHolder::ReceiveMessagePort( + uint64_t aIndex) { + if (NS_WARN_IF(aIndex >= mPortIdentifiers.Length())) { + return nullptr; + } + UniqueMessagePortId portId(mPortIdentifiers[aIndex]); + + ErrorResult rv; + RefPtr<MessagePort> port = MessagePort::Create(mGlobal, portId, rv); + if (NS_WARN_IF(rv.Failed())) { + rv.SuppressException(); + return nullptr; + } + + return port.forget(); +} + +// TODO: Convert this to MOZ_CAN_RUN_SCRIPT (bug 1415230) +MOZ_CAN_RUN_SCRIPT_BOUNDARY bool +StructuredCloneHolder::CustomReadTransferHandler( + JSContext* aCx, JSStructuredCloneReader* aReader, uint32_t aTag, + void* aContent, uint64_t aExtraData, + JS::MutableHandle<JSObject*> aReturnObject) { + MOZ_ASSERT(mSupportsTransferring); + + if (aTag == SCTAG_DOM_MAP_MESSAGEPORT) { +#ifdef FUZZING + if (aExtraData >= mPortIdentifiers.Length()) { + return false; + } +#endif + RefPtr<MessagePort> port = ReceiveMessagePort(aExtraData); + if (!port) { + return false; + } + mTransferredPorts.AppendElement(port); + + JS::Rooted<JS::Value> value(aCx); + if (!GetOrCreateDOMReflector(aCx, port, &value)) { + JS_ClearPendingException(aCx); + return false; + } + + aReturnObject.set(&value.toObject()); + return true; + } + + if (aTag == SCTAG_DOM_CANVAS && + CloneScope() == StructuredCloneScope::SameProcess) { + MOZ_ASSERT(aContent); + OffscreenCanvasCloneData* data = + static_cast<OffscreenCanvasCloneData*>(aContent); + RefPtr<OffscreenCanvas> canvas = + OffscreenCanvas::CreateFromCloneData(mGlobal, data); + delete data; + + JS::Rooted<JS::Value> value(aCx); + if (!GetOrCreateDOMReflector(aCx, canvas, &value)) { + JS_ClearPendingException(aCx); + return false; + } + + aReturnObject.set(&value.toObject()); + return true; + } + + if (aTag == SCTAG_DOM_IMAGEBITMAP && + CloneScope() == StructuredCloneScope::SameProcess) { + MOZ_ASSERT(aContent); + ImageBitmapCloneData* data = static_cast<ImageBitmapCloneData*>(aContent); + RefPtr<ImageBitmap> bitmap = + ImageBitmap::CreateFromCloneData(mGlobal, data); + delete data; + + JS::Rooted<JS::Value> value(aCx); + if (!GetOrCreateDOMReflector(aCx, bitmap, &value)) { + JS_ClearPendingException(aCx); + return false; + } + + aReturnObject.set(&value.toObject()); + return true; + } + + if (aTag == SCTAG_DOM_READABLESTREAM) { +#ifdef FUZZING + if (aExtraData >= mPortIdentifiers.Length()) { + return false; + } +#endif + RefPtr<MessagePort> port = ReceiveMessagePort(aExtraData); + if (!port) { + return false; + } + nsCOMPtr<nsIGlobalObject> global = mGlobal; + return ReadableStream::ReceiveTransfer(aCx, global, *port, aReturnObject); + } + + if (aTag == SCTAG_DOM_WRITABLESTREAM) { +#ifdef FUZZING + if (aExtraData >= mPortIdentifiers.Length()) { + return false; + } +#endif + RefPtr<MessagePort> port = ReceiveMessagePort(aExtraData); + if (!port) { + return false; + } + nsCOMPtr<nsIGlobalObject> global = mGlobal; + return WritableStream::ReceiveTransfer(aCx, global, *port, aReturnObject); + } + + if (aTag == SCTAG_DOM_TRANSFORMSTREAM) { +#ifdef FUZZING + if (aExtraData + 1 >= mPortIdentifiers.Length()) { + return false; + } +#endif + RefPtr<MessagePort> port1 = ReceiveMessagePort(aExtraData); + RefPtr<MessagePort> port2 = ReceiveMessagePort(aExtraData + 1); + if (!port1 || !port2) { + return false; + } + nsCOMPtr<nsIGlobalObject> global = mGlobal; + return TransformStream::ReceiveTransfer(aCx, global, *port1, *port2, + aReturnObject); + } + + return false; +} + +// TODO: Convert this to MOZ_CAN_RUN_SCRIPT (bug 1415230) +MOZ_CAN_RUN_SCRIPT_BOUNDARY bool +StructuredCloneHolder::CustomWriteTransferHandler( + JSContext* aCx, JS::Handle<JSObject*> aObj, uint32_t* aTag, + JS::TransferableOwnership* aOwnership, void** aContent, + uint64_t* aExtraData) { + if (!mSupportsTransferring) { + return false; + } + + JS::Rooted<JSObject*> obj(aCx, aObj); + + { + MessagePort* port = nullptr; + nsresult rv = UNWRAP_OBJECT(MessagePort, &obj, port); + if (NS_SUCCEEDED(rv)) { + if (!port->CanBeCloned()) { + return false; + } + + UniqueMessagePortId identifier; + port->CloneAndDisentangle(identifier); + + // We use aExtraData to store the index of this new port identifier. + *aExtraData = mPortIdentifiers.Length(); + mPortIdentifiers.AppendElement(identifier.release()); + + *aTag = SCTAG_DOM_MAP_MESSAGEPORT; + *aOwnership = JS::SCTAG_TMO_CUSTOM; + *aContent = nullptr; + + return true; + } + + if (CloneScope() == StructuredCloneScope::SameProcess) { + OffscreenCanvas* canvas = nullptr; + rv = UNWRAP_OBJECT(OffscreenCanvas, &obj, canvas); + if (NS_SUCCEEDED(rv)) { + MOZ_ASSERT(canvas); + + if (!canvas->MayNeuter()) { + return false; + } + + *aExtraData = 0; + *aTag = SCTAG_DOM_CANVAS; + *aOwnership = JS::SCTAG_TMO_CUSTOM; + *aContent = canvas->ToCloneData(); + MOZ_ASSERT(*aContent); + canvas->SetNeutered(); + + return true; + } + + ImageBitmap* bitmap = nullptr; + rv = UNWRAP_OBJECT(ImageBitmap, &obj, bitmap); + if (NS_SUCCEEDED(rv)) { + MOZ_ASSERT(bitmap); + MOZ_ASSERT(!bitmap->IsWriteOnly()); + + *aExtraData = 0; + *aTag = SCTAG_DOM_IMAGEBITMAP; + *aOwnership = JS::SCTAG_TMO_CUSTOM; + + UniquePtr<ImageBitmapCloneData> clonedBitmap = bitmap->ToCloneData(); + if (!clonedBitmap) { + return false; + } + + *aContent = clonedBitmap.release(); + MOZ_ASSERT(*aContent); + bitmap->Close(); + + return true; + } + } + + { + RefPtr<ReadableStream> stream; + rv = UNWRAP_OBJECT(ReadableStream, &obj, stream); + if (NS_SUCCEEDED(rv)) { + MOZ_ASSERT(stream); + + *aTag = SCTAG_DOM_READABLESTREAM; + *aOwnership = JS::SCTAG_TMO_CUSTOM; + *aContent = nullptr; + + UniqueMessagePortId id; + if (!stream->Transfer(aCx, id)) { + return false; + } + *aExtraData = mPortIdentifiers.Length(); + mPortIdentifiers.AppendElement(id.release()); + return true; + } + } + + { + RefPtr<WritableStream> stream; + rv = UNWRAP_OBJECT(WritableStream, &obj, stream); + if (NS_SUCCEEDED(rv)) { + MOZ_ASSERT(stream); + + *aTag = SCTAG_DOM_WRITABLESTREAM; + *aOwnership = JS::SCTAG_TMO_CUSTOM; + *aContent = nullptr; + + UniqueMessagePortId id; + if (!stream->Transfer(aCx, id)) { + return false; + } + *aExtraData = mPortIdentifiers.Length(); + mPortIdentifiers.AppendElement(id.release()); + return true; + } + } + + { + RefPtr<TransformStream> stream; + rv = UNWRAP_OBJECT(TransformStream, &obj, stream); + if (NS_SUCCEEDED(rv)) { + MOZ_ASSERT(stream); + + *aTag = SCTAG_DOM_TRANSFORMSTREAM; + *aOwnership = JS::SCTAG_TMO_CUSTOM; + *aContent = nullptr; + + UniqueMessagePortId id1; + UniqueMessagePortId id2; + if (!stream->Transfer(aCx, id1, id2)) { + return false; + } + *aExtraData = mPortIdentifiers.Length(); + mPortIdentifiers.AppendElement(id1.release()); + mPortIdentifiers.AppendElement(id2.release()); + return true; + } + } + } + + return false; +} + +void StructuredCloneHolder::CustomFreeTransferHandler( + uint32_t aTag, JS::TransferableOwnership aOwnership, void* aContent, + uint64_t aExtraData) { + MOZ_ASSERT(mSupportsTransferring); + + if (aTag == SCTAG_DOM_MAP_MESSAGEPORT) { + MOZ_ASSERT(!aContent); +#ifdef FUZZING + if (aExtraData >= mPortIdentifiers.Length()) { + return; + } +#endif + MOZ_ASSERT(aExtraData < mPortIdentifiers.Length()); + MessagePort::ForceClose(mPortIdentifiers[aExtraData]); + return; + } + + if (aTag == SCTAG_DOM_CANVAS && + CloneScope() == StructuredCloneScope::SameProcess) { + MOZ_ASSERT(aContent); + OffscreenCanvasCloneData* data = + static_cast<OffscreenCanvasCloneData*>(aContent); + delete data; + return; + } + + if (aTag == SCTAG_DOM_IMAGEBITMAP && + CloneScope() == StructuredCloneScope::SameProcess) { + MOZ_ASSERT(aContent); + ImageBitmapCloneData* data = static_cast<ImageBitmapCloneData*>(aContent); + delete data; + return; + } + + if (aTag == SCTAG_DOM_READABLESTREAM || aTag == SCTAG_DOM_WRITABLESTREAM) { + MOZ_ASSERT(!aContent); +#ifdef FUZZING + if (aExtraData >= mPortIdentifiers.Length()) { + return; + } +#endif + MOZ_ASSERT(aExtraData < mPortIdentifiers.Length()); + MessagePort::ForceClose(mPortIdentifiers[aExtraData]); + return; + } + + if (aTag == SCTAG_DOM_TRANSFORMSTREAM) { + MOZ_ASSERT(!aContent); +#ifdef FUZZING + if (aExtraData + 1 >= mPortIdentifiers.Length()) { + return; + } +#endif + MOZ_ASSERT(aExtraData + 1 < mPortIdentifiers.Length()); + MessagePort::ForceClose(mPortIdentifiers[aExtraData]); + MessagePort::ForceClose(mPortIdentifiers[aExtraData + 1]); + return; + } +} + +bool StructuredCloneHolder::CustomCanTransferHandler( + JSContext* aCx, JS::Handle<JSObject*> aObj, + bool* aSameProcessScopeRequired) { + if (!mSupportsTransferring) { + return false; + } + + JS::Rooted<JSObject*> obj(aCx, aObj); + + { + MessagePort* port = nullptr; + nsresult rv = UNWRAP_OBJECT(MessagePort, &obj, port); + if (NS_SUCCEEDED(rv)) { + return true; + } + } + + { + OffscreenCanvas* canvas = nullptr; + nsresult rv = UNWRAP_OBJECT(OffscreenCanvas, &obj, canvas); + if (NS_SUCCEEDED(rv)) { + SameProcessScopeRequired(aSameProcessScopeRequired); + return CloneScope() == StructuredCloneScope::SameProcess; + } + } + + { + ImageBitmap* bitmap = nullptr; + nsresult rv = UNWRAP_OBJECT(ImageBitmap, &obj, bitmap); + if (NS_SUCCEEDED(rv)) { + if (bitmap->IsWriteOnly()) { + return false; + } + + SameProcessScopeRequired(aSameProcessScopeRequired); + return CloneScope() == StructuredCloneScope::SameProcess; + } + } + + { + ReadableStream* stream = nullptr; + nsresult rv = UNWRAP_OBJECT(ReadableStream, &obj, stream); + if (NS_SUCCEEDED(rv)) { + // https://streams.spec.whatwg.org/#ref-for-transfer-steps + // Step 1: If ! IsReadableStreamLocked(value) is true, throw a + // "DataCloneError" DOMException. + return !IsReadableStreamLocked(stream); + } + } + + { + WritableStream* stream = nullptr; + nsresult rv = UNWRAP_OBJECT(WritableStream, &obj, stream); + if (NS_SUCCEEDED(rv)) { + // https://streams.spec.whatwg.org/#ref-for-transfer-steps①+ // Step 1: If ! IsWritableStreamLocked(value) is true, throw a + // "DataCloneError" DOMException. + return !IsWritableStreamLocked(stream); + } + } + + { + TransformStream* stream = nullptr; + nsresult rv = UNWRAP_OBJECT(TransformStream, &obj, stream); + if (NS_SUCCEEDED(rv)) { + // https://streams.spec.whatwg.org/#ref-for-transfer-steps② + // Step 3 + 4: If ! Is{Readable,Writable}StreamLocked(value) is true, + // throw a "DataCloneError" DOMException. + return !IsReadableStreamLocked(stream->Readable()) && + !IsWritableStreamLocked(stream->Writable()); + } + } + + return false; +} + +bool StructuredCloneHolder::TakeTransferredPortsAsSequence( + Sequence<OwningNonNull<mozilla::dom::MessagePort>>& aPorts) { + nsTArray<RefPtr<MessagePort>> ports = TakeTransferredPorts(); + + aPorts.Clear(); + for (uint32_t i = 0, len = ports.Length(); i < len; ++i) { + if (!aPorts.AppendElement(ports[i].forget(), fallible)) { + return false; + } + } + + return true; +} + +void StructuredCloneHolder::SameProcessScopeRequired( + bool* aSameProcessScopeRequired) { + MOZ_ASSERT(aSameProcessScopeRequired); + if (mStructuredCloneScope == StructuredCloneScope::UnknownDestination) { + mStructuredCloneScope = StructuredCloneScope::SameProcess; + *aSameProcessScopeRequired = true; + } +} + +} // namespace mozilla::dom |