Bug 1378207 - Stop bypassing the Xray layer when walking the prototype chain. v2 r=krizsa
☠☠ backed out by e55488c64a0b ☠ ☠
authorBobby Holley <bobbyholley@gmail.com>
Mon, 17 Jul 2017 14:31:50 +0200
changeset 369269 5d9a6384bf513139ca33f54825db4f035ebdbdab
parent 369268 94916f5a6dcbe73bc1f6986e228e0dbaf4490e6f
child 369270 8843631f2926c3a655104c82aeb2c3a4764942f6
push id46631
push userkwierso@gmail.com
push dateTue, 18 Jul 2017 00:38:28 +0000
treeherderautoland@216a5bf264b2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskrizsa
bugs1378207
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1378207 - Stop bypassing the Xray layer when walking the prototype chain. v2 r=krizsa MozReview-Commit-ID: AR2Sta2gWRk
js/xpconnect/src/XPCJSID.cpp
--- a/js/xpconnect/src/XPCJSID.cpp
+++ b/js/xpconnect/src/XPCJSID.cpp
@@ -451,37 +451,36 @@ nsJSIID::Enumerate(nsIXPConnectWrappedNa
  *     there's chrome code that relies on this.
  *
  * This static method handles both complexities, returning either an XPCWN, a
  * DOM object, or null. The object may well be cross-compartment from |cx|.
  */
 static nsresult
 FindObjectForHasInstance(JSContext* cx, HandleObject objArg, MutableHandleObject target)
 {
+    using namespace mozilla::jsipc;
     RootedObject obj(cx, objArg), proto(cx);
-
-    while (obj && !IS_WN_REFLECTOR(obj) &&
-           !IsDOMObject(obj) && !mozilla::jsipc::IsCPOW(obj))
-    {
-        if (js::IsWrapper(obj)) {
-            obj = js::CheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
-            continue;
+    while (true) {
+        // Try the object, or the wrappee if allowed.
+        JSObject* o = js::IsWrapper(obj) ? js::CheckedUnwrap(obj, false) : obj;
+        if (o && (IS_WN_REFLECTOR(o) || IsDOMObject(o) || IsCPOW(o))) {
+            target.set(o);
+            return NS_OK;
         }
 
-        {
-            JSAutoCompartment ac(cx, obj);
-            if (!js::GetObjectProto(cx, obj, &proto))
-                return NS_ERROR_FAILURE;
+        // Walk the prototype chain from the perspective of the callee (i.e.
+        // respecting Xrays if they exist).
+        if (!js::GetObjectProto(cx, obj, &proto))
+            return NS_ERROR_FAILURE;
+        if (!proto) {
+            target.set(nullptr);
+            return NS_OK;
         }
-
         obj = proto;
     }
-
-    target.set(obj);
-    return NS_OK;
 }
 
 nsresult
 xpc::HasInstance(JSContext* cx, HandleObject objArg, const nsID* iid, bool* bp)
 {
     *bp = false;
 
     RootedObject obj(cx);