Bug 898939 - Loosen assertion. r=bz

This is just an overzealous assertion, rather than a security issue.
2013-07-30 08:43:46 -07:00 · 2013-07-30 08:43:46 -07:00 · d129f0e5cd
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@ -1278,7 +1278,13 @@ XrayToString(JSContext *cx, unsigned argc, jsval *vp)
 static void
 DEBUG_CheckXBLCallable(JSContext *cx, JSObject *obj)
 {
-    MOZ_ASSERT(!js::IsCrossCompartmentWrapper(obj));
+    // In general, we shouldn't have cross-compartment wrappers here, because
+    // we should be running in an XBL scope, and the content prototype should
+    // contain wrappers to functions defined in the XBL scope. But if the node
+    // has been adopted into another compartment, those prototypes will now point
+    // to a different XBL scope (which is ok).
+    MOZ_ASSERT_IF(js::IsCrossCompartmentWrapper(obj),
+                  xpc::IsXBLScope(js::GetObjectCompartment(js::UncheckedUnwrap(obj))));
    MOZ_ASSERT(JS_ObjectIsCallable(cx, obj));
 }

@ -1443,8 +1449,10 @@ XrayWrapper<Base, Traits>::getPropertyDescriptor(JSContext *cx, HandleObject wra
    //
    // While we have to do some sketchy walking through content land, we should
    // be protected by read-only/non-configurable properties, and any functions
-    // we end up with should _always_ be living in our own scope (the XBL scope).
-    // Make sure to assert that.
+    // we end up with should _always_ be living in an XBL scope (usually ours,
+    // but could be another if the node has been adopted).
+    //
+    // Make sure to assert this.
    nsCOMPtr<nsIContent> content;
    if (!desc->obj &&
        EnsureCompartmentPrivate(wrapper)->scope->IsXBLScope() &&