Bug 1089049 - crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate. r=bz.
authorPeter Van der Beken <peterv@propagandism.org>
Tue, 04 Nov 2014 10:20:08 +0100
changeset 213831 f24cc6f4a15e544d8b7ab8e5bbaff8dcf9db5a05
parent 213830 41ec8dd3e641a6d560ffaf7aecbb01fe5a35b5ba
child 213832 2b4400abcbecc93798b316b61258a6045931e574
push id51348
push userpvanderbeken@mozilla.com
push dateTue, 04 Nov 2014 11:55:20 +0000
treeherdermozilla-inbound@f24cc6f4a15e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1089049
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1089049 - crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate. r=bz.
dom/base/nsDocument.cpp
dom/base/nsIDocument.h
dom/webidl/XPathEvaluator.webidl
dom/xslt/crashtests/1089049.html
dom/xslt/crashtests/crashtests.list
dom/xslt/xpath/XPathEvaluator.cpp
dom/xslt/xpath/XPathEvaluator.h
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -12396,17 +12396,17 @@ nsIDocument::CreateExpression(const nsAS
 nsINode*
 nsIDocument::CreateNSResolver(nsINode& aNodeResolver)
 {
   return XPathEvaluator()->CreateNSResolver(aNodeResolver);
 }
 
 already_AddRefed<XPathResult>
 nsIDocument::Evaluate(JSContext* aCx, const nsAString& aExpression,
-                      nsINode* aContextNode, XPathNSResolver* aResolver,
+                      nsINode& aContextNode, XPathNSResolver* aResolver,
                       uint16_t aType, JS::Handle<JSObject*> aResult,
                       ErrorResult& rv)
 {
   return XPathEvaluator()->Evaluate(aCx, aExpression, aContextNode, aResolver,
                                     aType, aResult, rv);
 }
 
 NS_IMETHODIMP
--- a/dom/base/nsIDocument.h
+++ b/dom/base/nsIDocument.h
@@ -131,18 +131,18 @@ template<typename> class OwningNonNull;
 template<typename> class Sequence;
 
 template<typename, typename> class CallbackObjectHolder;
 typedef CallbackObjectHolder<NodeFilter, nsIDOMNodeFilter> NodeFilterHolder;
 } // namespace dom
 } // namespace mozilla
 
 #define NS_IDOCUMENT_IID \
-{ 0x6bbf1955, 0xd9c4, 0x4d61, \
- { 0xbf, 0x75, 0x1b, 0xba, 0x55, 0xf7, 0x99, 0xc2 } }
+{ 0x1f343423, 0x957c, 0x4da3, \
+  { 0xaa, 0xa3, 0x07, 0x37, 0x54, 0x3e, 0x79, 0x2a } }
 
 // Enum for requesting a particular type of document when creating a doc
 enum DocumentFlavor {
   DocumentFlavorLegacyGuess, // compat with old code until made HTML5-compliant
   DocumentFlavorHTML, // HTMLDocument with HTMLness bit set to true
   DocumentFlavorSVG, // SVGDocument
   DocumentFlavorPlain, // Just a Document
 };
@@ -2339,17 +2339,17 @@ public:
   Element* GetBindingParent(nsINode& aNode);
   void LoadBindingDocument(const nsAString& aURI, mozilla::ErrorResult& rv);
   mozilla::dom::XPathExpression*
     CreateExpression(const nsAString& aExpression,
                      mozilla::dom::XPathNSResolver* aResolver,
                      mozilla::ErrorResult& rv);
   nsINode* CreateNSResolver(nsINode& aNodeResolver);
   already_AddRefed<mozilla::dom::XPathResult>
-    Evaluate(JSContext* aCx, const nsAString& aExpression, nsINode* aContextNode,
+    Evaluate(JSContext* aCx, const nsAString& aExpression, nsINode& aContextNode,
              mozilla::dom::XPathNSResolver* aResolver, uint16_t aType,
              JS::Handle<JSObject*> aResult, mozilla::ErrorResult& rv);
   // Touch event handlers already on nsINode
   already_AddRefed<mozilla::dom::Touch>
     CreateTouch(nsIDOMWindow* aView, mozilla::dom::EventTarget* aTarget,
                 int32_t aIdentifier, int32_t aPageX, int32_t aPageY,
                 int32_t aScreenX, int32_t aScreenY, int32_t aClientX,
                 int32_t aClientY, int32_t aRadiusX, int32_t aRadiusY,
--- a/dom/webidl/XPathEvaluator.webidl
+++ b/dom/webidl/XPathEvaluator.webidl
@@ -8,12 +8,12 @@
 interface XPathEvaluator {
   // Based on nsIDOMXPathEvaluator
   [NewObject, Throws]
   XPathExpression createExpression(DOMString expression,
                                    XPathNSResolver? resolver);
   [Pure]
   Node createNSResolver(Node nodeResolver);
   [Throws]
-  XPathResult evaluate(DOMString expression, Node? contextNode,
+  XPathResult evaluate(DOMString expression, Node contextNode,
                        XPathNSResolver? resolver, unsigned short type,
                        object? result);
 };
new file mode 100644
--- /dev/null
+++ b/dom/xslt/crashtests/1089049.html
@@ -0,0 +1,3 @@
+<script>
+var xpathResult = document.evaluate('', null, null, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
+</script>
--- a/dom/xslt/crashtests/crashtests.list
+++ b/dom/xslt/crashtests/crashtests.list
@@ -9,8 +9,9 @@ load 485286.xml
 load 528300.xml
 load 528488.xml
 load 528963.xml
 load 545927.html
 load 601543.html
 load 603844.html
 load 602115.html
 load 667315.xml
+load 1089049.html
--- a/dom/xslt/xpath/XPathEvaluator.cpp
+++ b/dom/xslt/xpath/XPathEvaluator.cpp
@@ -170,26 +170,26 @@ XPathEvaluator::Constructor(const Global
                             ErrorResult& rv)
 {
     nsRefPtr<XPathEvaluator> newObj = new XPathEvaluator(nullptr);
     return newObj.forget();
 }
 
 already_AddRefed<XPathResult>
 XPathEvaluator::Evaluate(JSContext* aCx, const nsAString& aExpression,
-                         nsINode* aContextNode,
-                         XPathNSResolver* aResolver, uint16_t aType,
-                         JS::Handle<JSObject*> aResult, ErrorResult& rv)
+                         nsINode& aContextNode, XPathNSResolver* aResolver,
+                         uint16_t aType, JS::Handle<JSObject*> aResult,
+                         ErrorResult& rv)
 {
     nsAutoPtr<XPathExpression> expression(CreateExpression(aExpression,
                                                            aResolver, rv));
     if (rv.Failed()) {
         return nullptr;
     }
-    return expression->Evaluate(aCx, *aContextNode, aType, aResult, rv);
+    return expression->Evaluate(aCx, aContextNode, aType, aResult, rv);
 }
 
 
 /*
  * Implementation of txIParseContext private to XPathEvaluator, based on a
  * XPathNSResolver
  */
 
--- a/dom/xslt/xpath/XPathEvaluator.h
+++ b/dom/xslt/xpath/XPathEvaluator.h
@@ -59,17 +59,17 @@ public:
                          nsINode* aResolver,
                          ErrorResult& aRv);
     nsINode* CreateNSResolver(nsINode& aNodeResolver)
     {
         return &aNodeResolver;
     }
     already_AddRefed<XPathResult>
         Evaluate(JSContext* aCx, const nsAString& aExpression,
-                 nsINode* aContextNode, XPathNSResolver* aResolver,
+                 nsINode& aContextNode, XPathNSResolver* aResolver,
                  uint16_t aType, JS::Handle<JSObject*> aResult,
                  ErrorResult& rv);
 private:
     XPathExpression*
         CreateExpression(const nsAString& aExpression,
                          txIParseContext* aContext,
                          nsIDocument* aDocument,
                          ErrorResult& aRv);