diff options
author | Basilisk-Dev <basiliskdev@protonmail.com> | 2023-10-30 15:36:44 -0400 |
---|---|---|
committer | Basilisk-Dev <basiliskdev@protonmail.com> | 2023-10-30 15:36:44 -0400 |
commit | ecb8ae6aba40290bb1adb12991e5515f91f00b80 (patch) | |
tree | e346bcbf32adb98d51f2917113b6fa23d29e2b2c /js/src | |
parent | 72a2a5f2bd6050824b3d67212a32365d3d541079 (diff) | |
download | uxp-ecb8ae6aba40290bb1adb12991e5515f91f00b80.tar.gz |
No issue - Structured clone algorithm doesn't serialize Array Length contrary to HTML spec, resulting in truncation of trailing sparse arrays like [1,2,3,,]
Backport of https://bugzilla.mozilla.org/show_bug.cgi?id=1476955
Diffstat (limited to 'js/src')
-rw-r--r-- | js/src/vm/StructuredClone.cpp | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp index e99cfe8f71..f7b7c75965 100644 --- a/js/src/vm/StructuredClone.cpp +++ b/js/src/vm/StructuredClone.cpp @@ -1240,7 +1240,16 @@ JSStructuredCloneWriter::traverseObject(HandleObject obj) ESClass cls; if (!GetBuiltinClass(context(), obj, &cls)) return false; - return out.writePair(cls == ESClass::Array ? SCTAG_ARRAY_OBJECT : SCTAG_OBJECT_OBJECT, 0); + + if (cls == ESClass::Array) { + uint32_t length = 0; + if (!JS_GetArrayLength(context(), obj, &length)) + return false; + + return out.writePair(SCTAG_ARRAY_OBJECT, NativeEndian::swapToLittleEndian(length)); + } + + return out.writePair(SCTAG_OBJECT_OBJECT, 0); } bool @@ -2143,7 +2152,7 @@ JSStructuredCloneReader::startRead(MutableHandleValue vp) case SCTAG_ARRAY_OBJECT: case SCTAG_OBJECT_OBJECT: { JSObject* obj = (tag == SCTAG_ARRAY_OBJECT) - ? (JSObject*) NewDenseEmptyArray(context()) + ? (JSObject*) NewDenseUnallocatedArray(context(), NativeEndian::swapFromLittleEndian(data)) : (JSObject*) NewBuiltinClassInstance<PlainObject>(context()); if (!obj || !objs.append(ObjectValue(*obj))) return false; |