Bug 959926. Fix some miscellaneous unsafe pointer hazards. r=terrence

This commit is contained in:
Boris Zbarsky 2014-01-15 14:39:08 -05:00
Родитель 3f5d1cb811
Коммит 3e24fe0289
5 изменённых файлов: 20 добавлений и 7 удалений

Просмотреть файл

@ -3305,7 +3305,9 @@ NS_IMETHODIMP nsJSArgArray::QueryElementAt(uint32_t index, const nsIID & uuid, v
return NS_ERROR_INVALID_ARG;
if (uuid.Equals(NS_GET_IID(nsIVariant)) || uuid.Equals(NS_GET_IID(nsISupports))) {
return nsContentUtils::XPConnect()->JSToVariant(mContext, mArgv[index],
// Have to copy a Heap into a Rooted to work with it.
JS::Rooted<JS::Value> val(mContext, mArgv[index]);
return nsContentUtils::XPConnect()->JSToVariant(mContext, val,
(nsIVariant **)result);
}
NS_WARNING("nsJSArgArray only handles nsIVariant");

Просмотреть файл

@ -360,7 +360,7 @@ jsd_DebugErrorHook(JSContext *cx, const char *message,
return false;
case JSD_ERROR_REPORTER_DEBUG:
{
jsval rval;
JS::RootedValue rval(cx);
JSD_ExecutionHookProc hook;
void* hookData;
@ -371,7 +371,7 @@ jsd_DebugErrorHook(JSContext *cx, const char *message,
JSD_UNLOCK();
jsd_CallExecutionHook(jsdc, cx, JSD_HOOK_DEBUG_REQUESTED,
hook, hookData, &rval);
hook, hookData, rval.address());
/* XXX Should make this dependent on ExecutionHook retval */
return true;
}

Просмотреть файл

@ -7426,11 +7426,11 @@ CodeGenerator::visitInstanceOfV(LInstanceOfV *ins)
return emitInstanceOf(ins, ins->mir()->prototypeObject());
}
// Wrap IsDelegate, which takes a Value for the lhs of an instanceof.
// Wrap IsDelegateOfObject, which takes a JSObject*, not a HandleObject
static bool
IsDelegateObject(JSContext *cx, HandleObject protoObj, HandleObject obj, bool *res)
{
return IsDelegate(cx, protoObj, ObjectValue(*obj), res);
return IsDelegateOfObject(cx, protoObj, obj, res);
}
typedef bool (*IsDelegateObjectFn)(JSContext *, HandleObject, HandleObject, bool *);

Просмотреть файл

@ -5252,7 +5252,13 @@ js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result
*result = false;
return true;
}
RootedObject obj2(cx, &v.toObject());
return IsDelegateOfObject(cx, obj, &v.toObject(), result);
}
bool
js::IsDelegateOfObject(JSContext *cx, HandleObject protoObj, JSObject* obj, bool *result)
{
RootedObject obj2(cx, obj);
for (;;) {
if (!JSObject::getProto(cx, obj2, &obj2))
return false;
@ -5260,7 +5266,7 @@ js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result
*result = false;
return true;
}
if (obj2 == obj) {
if (obj2 == protoObj) {
*result = true;
return true;
}

Просмотреть файл

@ -1536,6 +1536,11 @@ CheckAccess(JSContext *cx, JSObject *obj, HandleId id, JSAccessMode mode,
extern bool
IsDelegate(JSContext *cx, HandleObject obj, const Value &v, bool *result);
// obj is a JSObject*, but we root it immediately up front. We do it
// that way because we need a Rooted temporary in this method anyway.
extern bool
IsDelegateOfObject(JSContext *cx, HandleObject protoObj, JSObject* obj, bool *result);
bool
GetObjectElementOperationPure(ThreadSafeContext *cx, JSObject *obj, const Value &prop, Value *vp);