Bug 786801 - js_InferFlags should not stop at compartment boundaries (r=bhackett)

--HG-- extra : rebase_source : a8c83b7965d4b7fd1fa2bf12c1d5e24a20244215
2012-09-04 14:31:04 -07:00 · 2012-09-04 14:31:04 -07:00 · f3ddf2e017
--- a/content/html/document/test/test_documentAll.html
+++ b/content/html/document/test/test_documentAll.html
@ -22,6 +22,8 @@ Tests for document.all
  <a id="id3">E</a>
  <a id="id3">F</a>
 </div>
+<iframe id="subframe" src="data:text/html,<span id='x'></span>"
+        style="display: none"></iframe>
 <pre id="test">
 <script class="testbody" type="text/javascript">

@ -138,6 +140,14 @@ elementNames.forEach(function (name) {
 });
 is(hasName.length, 0, "found all names");

+SimpleTest.waitForExplicitFinish();
+addLoadEvent(function() {
+  var subdoc = $("subframe").contentDocument;
+  is(subdoc.all.x, subdoc.body.firstChild,
+     "document.all should work in a subdocument");
+  SimpleTest.finish();
+});
+
 // Utility functions
 function rC(node) {
  node.parentNode.removeChild(node);
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -2401,16 +2401,13 @@ js_CreateThisForFunction(JSContext *cx, HandleObject callee, bool newType)
 * checking whether document.all is defined.
 */
 static bool
-Detecting(JSContext *cx, jsbytecode *pc)
+Detecting(JSContext *cx, JSScript *script, jsbytecode *pc)
 {
    /* General case: a branch or equality op follows the access. */
    JSOp op = JSOp(*pc);
    if (js_CodeSpec[op].format & JOF_DETECTING)
        return true;

-    JSAtom *atom;
-
-    JSScript *script = cx->stack.currentScript();
    jsbytecode *endpc = script->code + script->length;
    JS_ASSERT(script->code <= pc && pc < endpc);

@ -2432,7 +2429,7 @@ Detecting(JSContext *cx, jsbytecode *pc)
         * about a local variable named |undefined| shadowing the immutable
         * global binding...because, really?
         */
-        atom = script->getAtom(GET_UINT32_INDEX(pc));
+        JSAtom *atom = script->getAtom(GET_UINT32_INDEX(pc));
        if (atom == cx->runtime->atomState.typeAtoms[JSTYPE_VOID] &&
            (pc += js_CodeSpec[op].length) < endpc) {
            op = JSOp(*pc);
@ -2450,24 +2447,26 @@ Detecting(JSContext *cx, jsbytecode *pc)
 unsigned
 js_InferFlags(JSContext *cx, unsigned defaultFlags)
 {
-    const JSCodeSpec *cs;
-    uint32_t format;
-    unsigned flags = 0;
-
-    jsbytecode *pc;
-    JSScript *script = cx->stack.currentScript(&pc);
-    if (!script || !pc)
+    /*
+     * Use ScriptFrameIter since we intentionally want to look across
+     * compartment boundaries in the case of cross-compartment property access.
+     */
+    ScriptFrameIter i(cx);
+    if (i.done())
        return defaultFlags;

-    cs = &js_CodeSpec[*pc];
-    format = cs->format;
+    jsbytecode *pc = i.pc();
+    JSScript *script = i.script();
+    const JSCodeSpec *cs = &js_CodeSpec[*pc];
+    uint32_t format = cs->format;
+    unsigned flags = 0;
    if (JOF_MODE(format) != JOF_NAME)
        flags |= JSRESOLVE_QUALIFIED;
    if (format & JOF_SET) {
        flags |= JSRESOLVE_ASSIGNING;
    } else if (cs->length >= 0) {
        pc += cs->length;
-        if (pc < script->code + script->length && Detecting(cx, pc))
+        if (pc < script->code + script->length && Detecting(cx, script, pc))
            flags |= JSRESOLVE_DETECTING;
    }
    return flags;
@ -4358,7 +4357,7 @@ js_GetPropertyHelperInline(JSContext *cx, HandleObject obj, HandleObject receive
            /* Do not warn about tests like (obj[prop] == undefined). */
            if (cx->resolveFlags == RESOLVE_INFER) {
                pc += js_CodeSpec[op].length;
-                if (Detecting(cx, pc))
+                if (Detecting(cx, script, pc))
                    return JS_TRUE;
            } else if (cx->resolveFlags & JSRESOLVE_DETECTING) {
                return JS_TRUE;