Fix for bug 744772 (Trace the DOM interface object array). r=bz.

--HG-- extra : rebase_source : c9f27bed0eab0e6db03295050176ef986cf0b59b
2012-05-02 14:49:43 +02:00 · 2012-05-02 14:49:43 +02:00 · 174872c252
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@ -202,6 +202,20 @@ AllocateProtoOrIfaceCache(JSObject* obj)
                      JS::PrivateValue(protoOrIfaceArray));
 }

+inline void
+TraceProtoOrIfaceCache(JSTracer* trc, JSObject* obj)
+{
+  MOZ_ASSERT(js::GetObjectClass(obj)->flags & JSCLASS_DOM_GLOBAL);
+
+  JSObject** protoOrIfaceArray = GetProtoOrIfaceArray(obj);
+  for (size_t i = 0; i < kProtoOrIfaceCacheCount; ++i) {
+    JSObject* proto = protoOrIfaceArray[i];
+    if (proto) {
+      JS_CALL_OBJECT_TRACER(trc, proto, "protoOrIfaceArray[i]");
+    }
+  }
+}
+
 inline void
 DestroyProtoOrIfaceCache(JSObject* obj)
 {
--- a/dom/bindings/test/Makefile.in
+++ b/dom/bindings/test/Makefile.in
@ -14,6 +14,7 @@ include $(topsrcdir)/config/rules.mk
 _TEST_FILES = \
  test_lookupGetter.html \
  test_InstanceOf.html \
+  test_traceProtos.html \
  $(NULL)

 libs:: $(_TEST_FILES)
--- a/dom/bindings/test/test_traceProtos.html
+++ b/dom/bindings/test/test_traceProtos.html
@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=744772
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 744772</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=744772">Mozilla Bug 744772</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 744772 **/
+
+SimpleTest.waitForExplicitFinish();
+
+function callback() {
+  new XMLHttpRequest().upload;
+  ok(true, "Accessing unreferenced DOM interface objects shouldn't crash");
+  SimpleTest.finish();
+}
+
+delete window.XMLHttpRequestUpload;
+SpecialPowers.exactGC(window, callback);
+
+</script>
+</pre>
+</body>
+</html>
--- a/dom/workers/WorkerScope.cpp
+++ b/dom/workers/WorkerScope.cpp
@ -844,6 +844,7 @@ private:
    DedicatedWorkerGlobalScope* scope =
      UnwrapDOMObject<DedicatedWorkerGlobalScope>(aObj, Class());
    if (scope) {
+      mozilla::dom::TraceProtoOrIfaceCache(aTrc, aObj);
      scope->_Trace(aTrc);
    }
  }
--- a/js/xpconnect/src/XPCWrappedNativeJSOps.cpp
+++ b/js/xpconnect/src/XPCWrappedNativeJSOps.cpp
@ -695,6 +695,11 @@ TraceForValidWrapper(JSTracer *trc, XPCWrappedNative* wrapper)
 static void
 MarkWrappedNative(JSTracer *trc, JSObject *obj)
 {
+    js::Class* clazz = js::GetObjectClass(obj);
+    if (clazz->flags & JSCLASS_DOM_GLOBAL) {
+        mozilla::dom::TraceProtoOrIfaceCache(trc, obj);
+    }
+
    JSObject *obj2;

    // Pass null for the first JSContext* parameter  to skip any security
--- a/js/xpconnect/src/nsXPConnect.cpp
+++ b/js/xpconnect/src/nsXPConnect.cpp
@ -1082,6 +1082,8 @@ TraceXPCGlobal(JSTracer *trc, JSObject *obj)

    if (XPCWrappedNativeScope *scope = XPCWrappedNativeScope::GetNativeScope(obj))
        scope->TraceDOMPrototypes(trc);
+
+    mozilla::dom::TraceProtoOrIfaceCache(trc, obj);
 }

 #ifdef DEBUG