Bug 832091 - guards against crashes in resolveDOMCollectionProperty. r=bholley

2013-04-07 10:18:58 +02:00 · 2013-04-07 10:18:58 +02:00 · 07c194820d
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@ -605,12 +605,11 @@ holder_set(JSContext *cx, HandleObject wrapperArg, HandleId id, JSBool strict, M
 class AutoSetWrapperNotShadowing
 {
 public:
-    AutoSetWrapperNotShadowing(JSObject *wrapper MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
+    AutoSetWrapperNotShadowing(ResolvingId *resolvingId MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
    {
        MOZ_GUARD_OBJECT_NOTIFIER_INIT;
-        MOZ_ASSERT(wrapper);
-        mResolvingId = ResolvingId::getResolvingIdFromWrapper(wrapper);
-        MOZ_ASSERT(mResolvingId);
+        MOZ_ASSERT(resolvingId);
+        mResolvingId = resolvingId;
        mResolvingId->mXrayShadowing = true;
    }

@ -640,12 +639,26 @@ XPCWrappedNativeXrayTraits::resolveDOMCollectionProperty(JSContext *cx, HandleOb
        return true;

    XPCWrappedNative *wn = getWN(wrapper);
+    if (!wn) {
+        // This should NEVER happen, but let's be extra careful here
+        // becaue of the reported crashes (Bug 832091).
+        XPCThrower::Throw(NS_ERROR_UNEXPECTED, cx);
+        return false;
+    }
    if (!NATIVE_HAS_FLAG(wn, WantNewResolve))
        return true;

+    ResolvingId *resolvingId = ResolvingId::getResolvingIdFromWrapper(wrapper);
+    if (!resolvingId) {
+        // This should NEVER happen, but let's be extra careful here
+        // becaue of the reported crashes (Bug 832091).
+        XPCThrower::Throw(NS_ERROR_UNEXPECTED, cx);
+        return false;
+    }
+
    // Setting the current ResolvingId in non-shadowing mode. So for this id
    // Xray won't ignore DOM specific collection properties temporarily.
-    AutoSetWrapperNotShadowing asw(wrapper);
+    AutoSetWrapperNotShadowing asw(resolvingId);

    bool retval = true;
    RootedObject pobj(cx);
@ -777,10 +790,13 @@ XPCWrappedNativeXrayTraits::resolveNativeProperty(JSContext *cx, HandleObject wr
    XPCNativeInterface *iface;
    XPCNativeMember *member;
    XPCWrappedNative *wn = getWN(wrapper);
-    if (ccx.GetWrapper() != wn ||
-        !wn->IsValid()  ||
-        !(iface = ccx.GetInterface()) ||
-        !(member = ccx.GetMember())) {
+
+    if (ccx.GetWrapper() != wn || !wn->IsValid()) {
+        // Something is wrong. If the wrapper is not even valid let's not risk
+        // calling resolveDOMCollectionProperty.
+        return true;
+    } else if (!(iface = ccx.GetInterface()) ||
+               !(member = ccx.GetMember())) {
        /* Not found */
        return resolveDOMCollectionProperty(cx, wrapper, holder, id, desc, flags);
    }