Bug 1089049 - crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate. r=bz.
☠☠ backed out by 41ec8dd3e641 ☠ ☠
authorPeter Van der Beken <peterv@propagandism.org>
Tue, 04 Nov 2014 10:20:08 +0100
changeset 213915 58e2cab9572e543b9eed843e9bd23763f064a617
parent 213914 d6cfdeca8a4c6251bb7413475d18f621f4270b1c
child 213916 41ec8dd3e641a6d560ffaf7aecbb01fe5a35b5ba
push id27768
push userkwierso@gmail.com
push dateWed, 05 Nov 2014 02:19:03 +0000
treeherdermozilla-central@a1823d3c7365 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1089049
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1089049 - crash in nsContentUtils::CanCallerAccess(nsINode*), Browser crashes if contextNode is null of document.evaluate. r=bz.
dom/base/nsDocument.cpp
dom/base/nsIDocument.h
dom/media/MediaManager.cpp
dom/media/gstreamer/GStreamerFunctionList.h
dom/media/nsIMediaManager.idl
dom/webidl/XPathEvaluator.webidl
dom/xslt/crashtests/1089049.html
dom/xslt/crashtests/crashtests.list
dom/xslt/xpath/XPathEvaluator.cpp
dom/xslt/xpath/XPathEvaluator.h
toolkit/content/aboutSupport.js
toolkit/content/aboutSupport.xhtml
toolkit/locales/en-US/chrome/global/aboutSupport.dtd
toolkit/modules/Troubleshoot.jsm
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -12396,17 +12396,17 @@ nsIDocument::CreateExpression(const nsAS
 nsINode*
 nsIDocument::CreateNSResolver(nsINode& aNodeResolver)
 {
   return XPathEvaluator()->CreateNSResolver(aNodeResolver);
 }
 
 already_AddRefed<XPathResult>
 nsIDocument::Evaluate(JSContext* aCx, const nsAString& aExpression,
-                      nsINode* aContextNode, XPathNSResolver* aResolver,
+                      nsINode& aContextNode, XPathNSResolver* aResolver,
                       uint16_t aType, JS::Handle<JSObject*> aResult,
                       ErrorResult& rv)
 {
   return XPathEvaluator()->Evaluate(aCx, aExpression, aContextNode, aResolver,
                                     aType, aResult, rv);
 }
 
 NS_IMETHODIMP
--- a/dom/base/nsIDocument.h
+++ b/dom/base/nsIDocument.h
@@ -2339,17 +2339,17 @@ public:
   Element* GetBindingParent(nsINode& aNode);
   void LoadBindingDocument(const nsAString& aURI, mozilla::ErrorResult& rv);
   mozilla::dom::XPathExpression*
     CreateExpression(const nsAString& aExpression,
                      mozilla::dom::XPathNSResolver* aResolver,
                      mozilla::ErrorResult& rv);
   nsINode* CreateNSResolver(nsINode& aNodeResolver);
   already_AddRefed<mozilla::dom::XPathResult>
-    Evaluate(JSContext* aCx, const nsAString& aExpression, nsINode* aContextNode,
+    Evaluate(JSContext* aCx, const nsAString& aExpression, nsINode& aContextNode,
              mozilla::dom::XPathNSResolver* aResolver, uint16_t aType,
              JS::Handle<JSObject*> aResult, mozilla::ErrorResult& rv);
   // Touch event handlers already on nsINode
   already_AddRefed<mozilla::dom::Touch>
     CreateTouch(nsIDOMWindow* aView, mozilla::dom::EventTarget* aTarget,
                 int32_t aIdentifier, int32_t aPageX, int32_t aPageY,
                 int32_t aScreenX, int32_t aScreenY, int32_t aClientX,
                 int32_t aClientY, int32_t aRadiusX, int32_t aRadiusY,
--- a/dom/media/MediaManager.cpp
+++ b/dom/media/MediaManager.cpp
@@ -2482,9 +2482,71 @@ GetUserMediaNotificationEvent::Run()
   }
 
   nsCOMPtr<nsPIDOMWindow> window = nsGlobalWindow::GetInnerWindowWithId(mWindowID);
   NS_ENSURE_TRUE(window, NS_ERROR_FAILURE);
 
   return MediaManager::NotifyRecordingStatusChange(window, msg, mIsAudio, mIsVideo);
 }
 
+NS_IMETHODIMP
+MediaManager::GetDecoderVersions(uint32_t* aCount, char*** aDecoders)
+{
+  nsTArray<nsCString> decorders;
+#ifdef MOZ_RAW
+  if (MediaDecoder::IsRawEnabled()) {
+    decorders.AppendElement()->AppendLiteral("Raw");
+  }
+#endif
+#ifdef MOZ_WAVE
+  if (MediaDecoder::IsWaveEnabled()) {
+    decorders.AppendElement()->AppendLiteral("Wave");
+  }
+#endif
+#if defined(MOZ_WEBM) && !defined(MOZ_OMX_WEBM_DECODER)
+#endif
+#if defined(MOZ_FMP4) && !defined(MOZ_OMX_DECODER)
+  if (Preferences::GetBool("media.fragmented-mp4.exposed", false)) {
+    decorders.AppendElement()->AppendLiteral("Fragmented MP4");
+  }
+#endif
+#ifdef MOZ_GSTREAMER
+  if (MediaDecoder::IsGStreamerEnabled()) {
+    guint major, minor, micro, nano;
+    gst_version(major, minor, micro, nano);
+    decorders.AppendElement()->AppendPrintf("Fragmented MP4 %i.%i.%i.%i", major, minor, micro, nano);
+  }
+#endif
+#ifdef MOZ_OMX_DECODER
+#endif
+#ifdef MOZ_OMX_WEBM_DECODER
+#endif
+#ifdef MOZ_DIRECTSHOW
+#endif
+#ifdef MOZ_WMF
+#endif
+#ifdef MOZ_APPLEMEDIA
+  if (MediaDecoder::IsAppleMP3Enabled()) {
+    decorders.AppendElement()->AppendLiteral("Apple MP3");
+  }
+#endif
+#ifdef MOZ_ANDROID_OMX
+#endif
+#ifdef NECKO_PROTOCOL_rtsp
+#endif
+
+  *aCount = decorders.Length();
+  char** ret =
+    static_cast<char**>(NS_Alloc(*aCount * sizeof(char*)));
+  if (!ret) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  for (uint32_t i = 0; i < *aCount; ++i) {
+    ret[i] = NS_strdup(decorders[i].get());
+  }
+
+  *aDecoders = ret;
+
+  return NS_OK;
+}
+
 } // namespace mozilla
--- a/dom/media/gstreamer/GStreamerFunctionList.h
+++ b/dom/media/gstreamer/GStreamerFunctionList.h
@@ -68,16 +68,17 @@ GST_FUNC(LIBGSTREAMER, gst_segment_init)
 GST_FUNC(LIBGSTREAMER, gst_segment_to_stream_time)
 GST_FUNC(LIBGSTREAMER, gst_static_caps_get)
 GST_FUNC(LIBGSTREAMER, gst_structure_copy)
 GST_FUNC(LIBGSTREAMER, gst_structure_get_fraction)
 GST_FUNC(LIBGSTREAMER, gst_structure_get_int)
 GST_FUNC(LIBGSTREAMER, gst_structure_get_value)
 GST_FUNC(LIBGSTREAMER, gst_structure_new)
 GST_FUNC(LIBGSTREAMER, gst_util_uint64_scale)
+GST_FUNC(LIBGSTREAMER, gst_version)
 
 #if GST_VERSION_MAJOR == 0
 GST_FUNC(LIBGSTAPP, gst_app_sink_pull_buffer)
 GST_FUNC(LIBGSTREAMER, gst_buffer_copy_metadata)
 GST_FUNC(LIBGSTREAMER, gst_buffer_new_and_alloc)
 GST_FUNC(LIBGSTREAMER, gst_caps_unref)
 GST_FUNC(LIBGSTREAMER, gst_element_factory_get_klass)
 GST_FUNC(LIBGSTREAMER, gst_element_get_pad)
--- a/dom/media/nsIMediaManager.idl
+++ b/dom/media/nsIMediaManager.idl
@@ -17,9 +17,12 @@ interface nsIMediaManagerService : nsISu
 {
   /* return a array of inner windows that have active captures */
   readonly attribute nsISupportsArray activeMediaCaptureWindows;
 
   /* Get the capture state for the given window and all descendant windows (iframes, etc) */
   void mediaCaptureWindowState(in nsIDOMWindow aWindow, out boolean aVideo, out boolean aAudio,
                                [optional] out boolean aScreenShare, [optional] out boolean aWindowShare,
                                [optional] out boolean aAppShare);
+
+  void getDecoderVersions([optional] out unsigned long aCount,
+                          [retval, array, size_is(aCount)] out string aDecoders);
 };
--- a/dom/webidl/XPathEvaluator.webidl
+++ b/dom/webidl/XPathEvaluator.webidl
@@ -8,12 +8,12 @@
 interface XPathEvaluator {
   // Based on nsIDOMXPathEvaluator
   [NewObject, Throws]
   XPathExpression createExpression(DOMString expression,
                                    XPathNSResolver? resolver);
   [Pure]
   Node createNSResolver(Node nodeResolver);
   [Throws]
-  XPathResult evaluate(DOMString expression, Node? contextNode,
+  XPathResult evaluate(DOMString expression, Node contextNode,
                        XPathNSResolver? resolver, unsigned short type,
                        object? result);
 };
new file mode 100644
--- /dev/null
+++ b/dom/xslt/crashtests/1089049.html
@@ -0,0 +1,3 @@
+<script>
+var xpathResult = document.evaluate('', null, null, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
+</script>
--- a/dom/xslt/crashtests/crashtests.list
+++ b/dom/xslt/crashtests/crashtests.list
@@ -9,8 +9,9 @@ load 485286.xml
 load 528300.xml
 load 528488.xml
 load 528963.xml
 load 545927.html
 load 601543.html
 load 603844.html
 load 602115.html
 load 667315.xml
+load 1089049.html
--- a/dom/xslt/xpath/XPathEvaluator.cpp
+++ b/dom/xslt/xpath/XPathEvaluator.cpp
@@ -170,26 +170,26 @@ XPathEvaluator::Constructor(const Global
                             ErrorResult& rv)
 {
     nsRefPtr<XPathEvaluator> newObj = new XPathEvaluator(nullptr);
     return newObj.forget();
 }
 
 already_AddRefed<XPathResult>
 XPathEvaluator::Evaluate(JSContext* aCx, const nsAString& aExpression,
-                         nsINode* aContextNode,
-                         XPathNSResolver* aResolver, uint16_t aType,
-                         JS::Handle<JSObject*> aResult, ErrorResult& rv)
+                         nsINode& aContextNode, XPathNSResolver* aResolver,
+                         uint16_t aType, JS::Handle<JSObject*> aResult,
+                         ErrorResult& rv)
 {
     nsAutoPtr<XPathExpression> expression(CreateExpression(aExpression,
                                                            aResolver, rv));
     if (rv.Failed()) {
         return nullptr;
     }
-    return expression->Evaluate(aCx, *aContextNode, aType, aResult, rv);
+    return expression->Evaluate(aCx, aContextNode, aType, aResult, rv);
 }
 
 
 /*
  * Implementation of txIParseContext private to XPathEvaluator, based on a
  * XPathNSResolver
  */
 
--- a/dom/xslt/xpath/XPathEvaluator.h
+++ b/dom/xslt/xpath/XPathEvaluator.h
@@ -59,17 +59,17 @@ public:
                          nsINode* aResolver,
                          ErrorResult& aRv);
     nsINode* CreateNSResolver(nsINode& aNodeResolver)
     {
         return &aNodeResolver;
     }
     already_AddRefed<XPathResult>
         Evaluate(JSContext* aCx, const nsAString& aExpression,
-                 nsINode* aContextNode, XPathNSResolver* aResolver,
+                 nsINode& aContextNode, XPathNSResolver* aResolver,
                  uint16_t aType, JS::Handle<JSObject*> aResult,
                  ErrorResult& rv);
 private:
     XPathExpression*
         CreateExpression(const nsAString& aExpression,
                          txIParseContext* aContext,
                          nsIDocument* aDocument,
                          ErrorResult& aRv);
--- a/toolkit/content/aboutSupport.js
+++ b/toolkit/content/aboutSupport.js
@@ -266,16 +266,28 @@ let snapshotFormatters = {
       return $.new("tr", [
         $.new("th", prop, "column"),
         $.new("td", val),
       ]);
     });
     $.append($("graphics-tbody"), trs);
   },
 
+
+  media: function media(data) {
+    // media-tbody tbody
+dump("BAAAAAR\n" + data.toSource() + "\n");
+    let trs = data["decoderVersions"].map(function (val) {
+      return $.new("tr", [
+        $.new("td", val),
+      ]);
+    });
+    $.append($("media-tbody"), trs);
+  },
+
   javaScript: function javaScript(data) {
     $("javascript-incremental-gc").textContent = data.incrementalGCEnabled;
   },
 
   accessibility: function accessibility(data) {
     $("a11y-activated").textContent = data.isActive;
     $("a11y-force-disabled").textContent = data.forceDisabled || 0;
   },
--- a/toolkit/content/aboutSupport.xhtml
+++ b/toolkit/content/aboutSupport.xhtml
@@ -243,16 +243,33 @@
 
         <tbody id="graphics-failures-tbody">
         </tbody>
       </table>
 
       <!-- - - - - - - - - - - - - - - - - - - - - -->
 
       <h2 class="major-section">
+        &aboutSupport.mediaTitle;
+      </h2>
+
+      <table>
+        <thead class="no-copy">
+          <th>
+            &aboutSupport.decoderVersions;
+          </th>
+        </thead>
+
+        <tbody id="media-tbody">
+        </tbody>
+      </table>
+
+      <!-- - - - - - - - - - - - - - - - - - - - - -->
+
+      <h2 class="major-section">
         &aboutSupport.modifiedKeyPrefsTitle;
       </h2>
 
       <table class="prefs-table">
         <thead class="no-copy">
           <th class="name">
             &aboutSupport.modifiedPrefsName;
           </th>
--- a/toolkit/locales/en-US/chrome/global/aboutSupport.dtd
+++ b/toolkit/locales/en-US/chrome/global/aboutSupport.dtd
@@ -88,8 +88,11 @@ variant of aboutSupport.showDir.label. -
 
 <!ENTITY aboutSupport.libraryVersionsTitle "Library Versions">
 
 <!ENTITY aboutSupport.installationHistoryTitle "Installation History">
 <!ENTITY aboutSupport.updateHistoryTitle "Update History">
 
 <!ENTITY aboutSupport.copyTextToClipboard.label "Copy text to clipboard">
 <!ENTITY aboutSupport.copyRawDataToClipboard.label "Copy raw data to clipboard">
+
+<!ENTITY aboutSupport.mediaTitle "Media">
+<!ENTITY aboutSupport.decoderVersions "Decoder versions">
--- a/toolkit/modules/Troubleshoot.jsm
+++ b/toolkit/modules/Troubleshoot.jsm
@@ -412,16 +412,24 @@ let dataProviders = {
 
     let failures = gfxInfo.getFailures();
     if (failures.length)
       data.failures = failures;
 
     done(data);
   },
 
+  media: function media(done) {
+    let data = {};
+    let mediaMgr = Cc["@mozilla.org/mediaManagerService;1"].getService(Ci.nsIMediaManagerService);
+    data.decoderVersions = mediaMgr.getDecoderVersions();
+dump("FOOOOOOO\n" + data.toSource() + "\n");
+    done(data);
+  },
+
   javaScript: function javaScript(done) {
     let data = {};
     let winEnumer = Services.ww.getWindowEnumerator();
     if (winEnumer.hasMoreElements())
       data.incrementalGCEnabled = winEnumer.getNext().
                                   QueryInterface(Ci.nsIInterfaceRequestor).
                                   getInterface(Ci.nsIDOMWindowUtils).
                                   isIncrementalGCEnabled();