From 03e03bd13cbda1d4610c76889e5dcf20af3c9dc2 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Wed, 29 Apr 2020 23:00:48 -0700
Subject: [PATCH] #600: M1588248 M1614704

---
 dom/workers/XMLHttpRequest.cpp | 10 ++++++++--
 dom/workers/XMLHttpRequest.h   |  3 ++-
 js/src/jit/MIR.h               |  5 +++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
index 32a8f6382..fc6808e2d 100644
--- a/dom/workers/XMLHttpRequest.cpp
+++ b/dom/workers/XMLHttpRequest.cpp
@@ -1861,6 +1861,8 @@ XMLHttpRequest::SendInternal(SendRunnable* aRunnable,
   aRunnable->SetSyncLoopTarget(syncLoopTarget);
   aRunnable->SetHaveUploadListeners(hasUploadListeners);
 
+  mStateData.mFlagSend = true;
+
   if (!aRunnable->Dispatch(cx)) {
     // Dispatch() may have spun the event loop and we may have already unrooted.
     // If so we don't want autoUnpin to try again.
@@ -1879,7 +1881,11 @@ XMLHttpRequest::SendInternal(SendRunnable* aRunnable,
 
   autoUnpin.Clear();
 
-  if (!autoSyncLoop->Run()) {
+  bool succeeded = autoSyncLoop->Run();
+  mStateData.mFlagSend = false;
+
+  if (!succeeded) {
+    // Somehow we didn't throw. Throw now.
     aRv.Throw(NS_ERROR_FAILURE);
   }
 }
@@ -2083,7 +2089,7 @@ XMLHttpRequest::Send(ErrorResult& aRv)
     return;
   }
 
-  if (!mProxy) {
+  if (!mProxy || mStateData.mFlagSend) {
     aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
     return;
   }
diff --git a/dom/workers/XMLHttpRequest.h b/dom/workers/XMLHttpRequest.h
index 64d3acb8e..f4bb13717 100644
--- a/dom/workers/XMLHttpRequest.h
+++ b/dom/workers/XMLHttpRequest.h
@@ -44,11 +44,12 @@ public:
     nsresult mResponseTextResult;
     nsresult mStatusResult;
     nsresult mResponseResult;
+    bool mFlagSend; // TenFourFox issue 600 (backbugs for M1588248)
 
     StateData()
     : mStatus(0), mReadyState(0), mResponse(JS::UndefinedValue()),
       mResponseTextResult(NS_OK), mStatusResult(NS_OK),
-      mResponseResult(NS_OK)
+      mResponseResult(NS_OK), mFlagSend(false)
     { }
   };
 
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index b7c0b4522..eee27b30b 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -4737,9 +4737,10 @@ class MCreateThis
         return getOperand(0);
     }
 
-    // Although creation of |this| modifies global state, it is safely repeatable.
+    // Performs a property read from |newTarget| iff |newTarget| is a JSFunction
+    // with an own |.prototype| property.
     AliasSet getAliasSet() const override {
-        return AliasSet::None();
+        return AliasSet::Load(AliasSet::Any);
     }
     bool possiblyCalls() const override {
         return true;