Quickstub argument unwrapping fails for security-wrapped list proxy and paris binding objects

RESOLVED FIXED in mozilla16

Status

()

Core
DOM
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: peterv, Assigned: peterv)

Tracking

Trunk
mozilla16
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
This was the cause of bug 743325.
(Assignee)

Updated

5 years ago
Blocks: 734503
(Assignee)

Comment 1

5 years ago
Created attachment 631104 [details] [diff] [review]
v1

The main issue was that xpc_qsUnwrapArgImpl didn't unwrap security wrappers before checking mozilla::dom::binding::instanceIsProxy.
Attachment #631104 - Flags: review?(bzbarsky)

Comment 2

5 years ago
Comment on attachment 631104 [details] [diff] [review]
v1

Would it make sense to test for IsDOMClass before InstanceIsProxy in both getWrapper and castNative?  Which do we think will be more common?

r=me in either case.
Attachment #631104 - Flags: review?(bzbarsky) → review+
Comment on attachment 631104 [details] [diff] [review]
v1

Review of attachment 631104 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/src/XPCQuickStubs.cpp
@@ +697,5 @@
>      *tearoff = nsnull;
>  
> +    js::Class* clasp = js::GetObjectClass(obj);
> +    if (mozilla::dom::binding::instanceIsProxy(obj) ||
> +        mozilla::dom::IsDOMClass(clasp)) {

You can drop the 'mozilla::' here

@@ +754,5 @@
> +        if (mozilla::dom::binding::instanceIsProxy(cur)) {
> +            native = static_cast<nsISupports*>(js::GetProxyPrivate(cur).toPrivate());
> +            entries = nsnull;
> +        } else if (mozilla::dom::IsDOMClass(clasp)) {
> +            native = mozilla::dom::UnwrapDOMObject<nsISupports>(cur);

And here

@@ +761,4 @@
>              native = static_cast<nsISupports*>(xpc_GetJSPrivate(cur));
>              entries = GetOffsetsFromSlimWrapper(cur);
>          } else {
> +            NS_NOTREACHED("what kind of wrapper is this?");

MOZ_NOT_REACHED?

Updated

5 years ago
Blocks: 750297
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/2fdee4a75df4
Target Milestone: --- → mozilla16

Comment 5

5 years ago
https://hg.mozilla.org/mozilla-central/rev/2fdee4a75df4
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
Blocks: 769464
No longer blocks: 769464
Depends on: 769464
You need to log in before you can comment on or make changes to this bug.