No Issue - StructuredClone serialize and deserialize should treat back reference consistently

Backport of https://bugzilla.mozilla.org/show_bug.cgi?id=1538622

dom/base/test/mochitest.ini

@@ -764,6 +764,7 @@ skip-if = debug == false
 [test_setting_opener.html]
 [test_simplecontentpolicy.html]
 skip-if = e10s # Bug 1156489.
+[test_structuredclone_backref.html]
 [test_text_wholeText.html]
 [test_textnode_normalize_in_selection.html]
 [test_textnode_split_in_selection.html]

dom/tests/mochitest/bugs/test_bug743615.html

@@ -54,8 +54,7 @@ function windowMessage(evt) {
   ok(checkPattern(imageData, pattern),
      'postMessage from self worked correctly');
 
-  // We're not spec compliant on this yet.
-  todo_is(imageData.data, evt.data.dataRef,
+  is(imageData.data, evt.data.dataRef,
           'Should have backrefs for imagedata buffer');
 
   // Make a new pattern, and send it to a worker.

js/src/vm/StructuredClone.cpp

@@ -2046,6 +2046,7 @@ bool
 JSStructuredCloneReader::startRead(MutableHandleValue vp)
 {
     uint32_t tag, data;
+    bool alreadAppended = false;
 
     if (!in.readPair(&tag, &data))
         return false;
@@ -2246,15 +2247,29 @@ JSStructuredCloneReader::startRead(MutableHandleValue vp)
                                       "unsupported type");
             return false;
         }
+
+        // callbacks->read() might read other objects from the buffer.
+        // In startWrite we always write the object itself before calling
+        // the custom function. We should do the same here to keep
+        // indexing consistent.
+        uint32_t placeholderIndex = allObjs.length();
+        Value dummy = UndefinedValue();
+        if (!allObjs.append(dummy)) {
+            return false;
+        }
+
         JSObject* obj = callbacks->read(context(), this, tag, data, closure);
         if (!obj)
             return false;
         vp.setObject(*obj);
+        allObjs[placeholderIndex].set(vp);
+        alreadAppended = true;
       }
     }
 
-    if (vp.isObject() && !allObjs.append(vp))
+    if (!alreadAppended && vp.isObject() && !allObjs.append(vp)) {
         return false;
+    }
 
     return true;
 }
@@ -2828,7 +2843,20 @@ JS_WriteTypedArray(JSStructuredCloneWriter* w, HandleValue v)
     MOZ_ASSERT(v.isObject());
     assertSameCompartment(w->context(), v);
     RootedObject obj(w->context(), &v.toObject());
-    return w->writeTypedArray(obj);
+
+    // startWrite can write everything, thus we should check here
+    // and report error if the user passes a wrong type.
+    if (!JS_IsTypedArrayObject(obj)) {
+        JS_ReportErrorNumberASCII(w->context(), GetErrorMessage, nullptr,
+                                  JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "expected type array");
+        return false;
+    }
+
+    // We should use startWrite instead of writeTypedArray, because
+    // typed array is an object, we should add it to the |memory|
+    // (allObjs) list. Directly calling writeTypedArray won't add it.
+    return w->startWrite(v);
 }
 
 JS_PUBLIC_API(bool)