Bug 1074863 - Handle named constructors which have DOMXrayTraits while being simultaneously JSProto_Function. r=peterv
authorBobby Holley <bobbyholley@gmail.com>
Thu, 02 Oct 2014 11:06:03 +0200
changeset 208371 4bff4b0ed99cc3d43745515b3a4716856312072f
parent 208370 13740fca92f2a957514ab91fc0243770583776ad
child 208372 c70ca7e5474135b799f0bc26f5d8ff9c66faaf1b
push id49906
push userbobbyholley@gmail.com
push dateThu, 02 Oct 2014 09:06:56 +0000
treeherdermozilla-inbound@4bff4b0ed99c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerspeterv
bugs1074863
milestone35.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1074863 - Handle named constructors which have DOMXrayTraits while being simultaneously JSProto_Function. r=peterv Simple fix, but interesting test case and worth having on CI.
js/xpconnect/tests/chrome/chrome.ini
js/xpconnect/tests/chrome/test_bug1074863.html
js/xpconnect/wrappers/WrapperFactory.cpp
--- a/js/xpconnect/tests/chrome/chrome.ini
+++ b/js/xpconnect/tests/chrome/chrome.ini
@@ -62,16 +62,17 @@ skip-if = buildapp == 'mulet'
 [test_bug865948.xul]
 [test_bug866823.xul]
 [test_bug895340.xul]
 [test_bug932906.xul]
 [test_bug996069.xul]
 [test_bug1041626.xul]
 [test_bug1042436.xul]
 [test_bug1050049.html]
+[test_bug1074863.html]
 [test_xrayToJS.xul]
 skip-if = buildapp == 'mulet'
 [test_chrometoSource.xul]
 skip-if = buildapp == 'mulet'
 [test_cloneInto.xul]
 [test_cows.xul]
 skip-if = buildapp == 'mulet'
 [test_discardSystemSource.xul]
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/chrome/test_bug1074863.html
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1074863
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1074863</title>
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://global/skin"/>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 1074863 **/
+  const Cu = Components.utils;
+  var sb = new Cu.Sandbox('http://www.example.com');
+  sb.namedCtor = Image;
+  ok(true, "Didn't assert");
+
+
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1074863">Mozilla Bug 1074863</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -109,16 +109,21 @@ WrapperFactory::WaiveXray(JSContext *cx,
 
 // In general, we're trying to deprecate COWs incrementally as we introduce
 // Xrays to the corresponding object types. But switching off COWs for certain
 // things would be too tumultuous at present, so we punt on them for later.
 static bool
 ForceCOWBehavior(JSObject *obj)
 {
     JSProtoKey key = IdentifyStandardInstanceOrPrototype(obj);
+    if (key == JSProto_Function && GetXrayType(obj) == XrayForDOMObject) {
+        // This means that we've got a DOM constructor, which we never want to
+        // expose COW-style.
+        return false;
+    }
     if (key == JSProto_Object || key == JSProto_Array || key == JSProto_Function) {
         MOZ_ASSERT(GetXrayType(obj) == XrayForJSObject,
                    "We should use XrayWrappers for standard ES Object, Array, and Function "
                    "instances modulo this hack");
         return true;
     }
 
     return false;