From ccf4d72d2d6d36bfde17b3aec9d6171983b61355 Mon Sep 17 00:00:00 2001
From: Blake Kaplan <mrbkap@gmail.com>
Date: Mon, 2 May 2011 15:47:10 -0700
Subject: [PATCH] Bug 650273 - Force a frame here. r=luke

--HG--
extra : rebase_source : eba79b2d20d380c7172bb982c09523c3df180185
---
 dom/base/nsJSEnvironment.cpp                  |  5 ++-
 js/src/jswrapper.cpp                          | 20 ++++++++-
 js/src/jswrapper.h                            | 17 +++++++-
 js/src/xpconnect/tests/mochitest/Makefile.in  |  2 +
 .../tests/mochitest/file_bug650273.html       | 31 +++++++++++++
 .../tests/mochitest/test_bug650273.html       | 43 +++++++++++++++++++
 6 files changed, 114 insertions(+), 4 deletions(-)
 create mode 100644 js/src/xpconnect/tests/mochitest/file_bug650273.html
 create mode 100644 js/src/xpconnect/tests/mochitest/test_bug650273.html

diff --git a/dom/base/nsJSEnvironment.cpp b/dom/base/nsJSEnvironment.cpp
index 4563c2fff238..7382b07f06c0 100644
--- a/dom/base/nsJSEnvironment.cpp
+++ b/dom/base/nsJSEnvironment.cpp
@@ -88,6 +88,7 @@
 #include "xpcpublic.h"
 
 #include "jsdbgapi.h"           // for JS_ClearWatchPointsForObject
+#include "jswrapper.h"
 #include "jsxdrapi.h"
 #include "nsIArray.h"
 #include "nsIObjectInputStream.h"
@@ -1881,7 +1882,9 @@ nsJSContext::CallEventHandler(nsISupports* aTarget, void *aScope, void *aHandler
 
     jsval funval = OBJECT_TO_JSVAL(funobj);
     JSAutoEnterCompartment ac;
-    if (!ac.enter(mContext, funobj) || !JS_WrapObject(mContext, &target)) {
+    js::ForceFrame ff(mContext, funobj);
+    if (!ac.enter(mContext, funobj) || !ff.enter() ||
+        !JS_WrapObject(mContext, &target)) {
       sSecurityManager->PopContextPrincipal(mContext);
       return NS_ERROR_FAILURE;
     }
diff --git a/js/src/jswrapper.cpp b/js/src/jswrapper.cpp
index 0e0577658d09..aa0057f51e88 100644
--- a/js/src/jswrapper.cpp
+++ b/js/src/jswrapper.cpp
@@ -357,12 +357,30 @@ TransparentObjectWrapper(JSContext *cx, JSObject *obj, JSObject *wrappedProto, J
 
 }
 
+ForceFrame::ForceFrame(JSContext *cx, JSObject *target)
+    : context(cx),
+      target(target)
+{
+}
+
+bool
+ForceFrame::enter()
+{
+    LeaveTrace(context);
+
+    JS_ASSERT(context->compartment == target->compartment());
+
+    JSObject *scopeChain = target->getGlobal();
+    JS_ASSERT(scopeChain->isNative());
+
+    return context->stack.pushDummyFrame(context, *scopeChain, &frame);
+}
+
 AutoCompartment::AutoCompartment(JSContext *cx, JSObject *target)
     : context(cx),
       origin(cx->compartment),
       target(target),
       destination(target->getCompartment()),
-      input(cx),
       entered(false)
 {
 }
diff --git a/js/src/jswrapper.h b/js/src/jswrapper.h
index 8c5f73eccba4..40048b99b813 100644
--- a/js/src/jswrapper.h
+++ b/js/src/jswrapper.h
@@ -156,6 +156,21 @@ class JS_FRIEND_API(JSCrossCompartmentWrapper) : public JSWrapper {
 
 namespace js {
 
+// A hacky class that lets a friend force a fake frame. We must already be
+// in the compartment of |target| when we enter the forced frame.
+class JS_FRIEND_API(ForceFrame)
+{
+  public:
+    JSContext * const context;
+    JSObject * const target;
+  private:
+    DummyFrameGuard frame;
+
+  public:
+    ForceFrame(JSContext *cx, JSObject *target);
+    bool enter();
+};
+
 class AutoCompartment
 {
   public:
@@ -165,8 +180,6 @@ class AutoCompartment
     JSCompartment * const destination;
   private:
     Maybe<DummyFrameGuard> frame;
-    FrameRegs regs;
-    AutoStringRooter input;
     bool entered;
 
   public:
diff --git a/js/src/xpconnect/tests/mochitest/Makefile.in b/js/src/xpconnect/tests/mochitest/Makefile.in
index 596a7e4c11a3..6f38bc128489 100644
--- a/js/src/xpconnect/tests/mochitest/Makefile.in
+++ b/js/src/xpconnect/tests/mochitest/Makefile.in
@@ -89,6 +89,8 @@ _TEST_FILES =	bug500931_helper.html \
 		test2_bug629331.html \
 		test_bug618017.html \
 		test_bug636097.html \
+		test_bug650273.html \
+		file_bug650273.html \
 		$(NULL)
 
 		#test_bug484107.html \
diff --git a/js/src/xpconnect/tests/mochitest/file_bug650273.html b/js/src/xpconnect/tests/mochitest/file_bug650273.html
new file mode 100644
index 000000000000..c5f4f5b6da92
--- /dev/null
+++ b/js/src/xpconnect/tests/mochitest/file_bug650273.html
@@ -0,0 +1,31 @@
+<!-- test by moz_bug_r_a4@yahoo.com -->
+<body onload="a()">
+<script>
+var targetUrl = "http://example.com/";
+var l;
+
+function a() {
+        var o = {};
+        o.toString = function() {
+                l();
+                return "a";
+        };
+        var f = Components.lookupMethod(document, "title");
+        setTimeout(f, 0, o);
+}
+
+function l() {
+        var l = false;
+        onunload = function() {
+                l = true;
+        };
+        location = targetUrl;
+        do {
+                var r = new XMLHttpRequest();
+                r.open("GET", location.href, false);
+                r.overrideMimeType("text/plain");
+                try { r.send(null); }
+                catch (e) {}
+        } while (!l);
+}
+</script>
diff --git a/js/src/xpconnect/tests/mochitest/test_bug650273.html b/js/src/xpconnect/tests/mochitest/test_bug650273.html
new file mode 100644
index 000000000000..09a3429e5696
--- /dev/null
+++ b/js/src/xpconnect/tests/mochitest/test_bug650273.html
@@ -0,0 +1,43 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=650273
+test by moz_bug_r_a4@yahoo.com
+-->
+<head>
+  <title>Test for Bug 650273</title>
+  <script type="application/javascript" src="/MochiKit/packed.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank"
+href="https://bugzilla.mozilla.org/show_bug.cgi?id=650273">Mozilla Bug 650273</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 504877 **/
+SimpleTest.waitForExplicitFinish();
+var count = 0;
+function done() {
+    if (++count == 2) {
+        try {
+            ok($('ifr').location.host === 'example.com', "shouldn't see this");
+        } catch (e) {
+            ok(true, "navigation successfully happened");
+        }
+        SimpleTest.finish();
+    }
+}
+
+</script>
+
+<iframe id="ifr" src="file_bug650273.html" onload="done()"></iframe>
+
+</pre>
+</body>
+</html>