From d129f0e5cdff77eadd23dd03daf5746fee3a01c5 Mon Sep 17 00:00:00 2001 From: Bobby Holley Date: Tue, 30 Jul 2013 08:43:46 -0700 Subject: [PATCH] Bug 898939 - Loosen assertion. r=bz This is just an overzealous assertion, rather than a security issue. --- js/xpconnect/wrappers/XrayWrapper.cpp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/js/xpconnect/wrappers/XrayWrapper.cpp b/js/xpconnect/wrappers/XrayWrapper.cpp index 19570d679de1..989ded473e67 100644 --- a/js/xpconnect/wrappers/XrayWrapper.cpp +++ b/js/xpconnect/wrappers/XrayWrapper.cpp @@ -1278,7 +1278,13 @@ XrayToString(JSContext *cx, unsigned argc, jsval *vp) static void DEBUG_CheckXBLCallable(JSContext *cx, JSObject *obj) { - MOZ_ASSERT(!js::IsCrossCompartmentWrapper(obj)); + // In general, we shouldn't have cross-compartment wrappers here, because + // we should be running in an XBL scope, and the content prototype should + // contain wrappers to functions defined in the XBL scope. But if the node + // has been adopted into another compartment, those prototypes will now point + // to a different XBL scope (which is ok). + MOZ_ASSERT_IF(js::IsCrossCompartmentWrapper(obj), + xpc::IsXBLScope(js::GetObjectCompartment(js::UncheckedUnwrap(obj)))); MOZ_ASSERT(JS_ObjectIsCallable(cx, obj)); } @@ -1443,8 +1449,10 @@ XrayWrapper::getPropertyDescriptor(JSContext *cx, HandleObject wra // // While we have to do some sketchy walking through content land, we should // be protected by read-only/non-configurable properties, and any functions - // we end up with should _always_ be living in our own scope (the XBL scope). - // Make sure to assert that. + // we end up with should _always_ be living in an XBL scope (usually ours, + // but could be another if the node has been adopted). + // + // Make sure to assert this. nsCOMPtr content; if (!desc->obj && EnsureCompartmentPrivate(wrapper)->scope->IsXBLScope() &&