Bug 1094953: Ensure that GetGlobalJSObject on the native global does not return null in nsXPCWrappedJSClass::DelegatedQueryInterface. r=bholley
authorBob Owen <bobowencode@gmail.com>
Mon, 09 Feb 2015 19:55:57 +0000
changeset 241834 46627b312b8d228592b7a9b67ef057fcf0a3cbb2
parent 241833 075d31f8da0e1c5c274b7d7684cf16333738dc21
child 241835 c915d1a940963b6298ef6f563ec170d8c833ee98
push id624
push userdburns@mozilla.com
push dateTue, 10 Feb 2015 13:30:25 +0000
reviewersbholley
bugs1094953
milestone38.0a1
Bug 1094953: Ensure that GetGlobalJSObject on the native global does not return null in nsXPCWrappedJSClass::DelegatedQueryInterface. r=bholley
js/xpconnect/src/XPCWrappedJSClass.cpp
--- a/js/xpconnect/src/XPCWrappedJSClass.cpp
+++ b/js/xpconnect/src/XPCWrappedJSClass.cpp
@@ -503,18 +503,23 @@ nsXPCWrappedJSClass::DelegatedQueryInter
     // We can't have a cached wrapper.
     if (aIID.Equals(NS_GET_IID(nsWrapperCache))) {
         *aInstancePtr = nullptr;
         return NS_NOINTERFACE;
     }
 
     // QI on an XPCWrappedJS can run script, so we need an AutoEntryScript.
     // This is inherently Gecko-specific.
+    // We check both nativeGlobal and nativeGlobal->GetGlobalJSObject() even
+    // though we have derived nativeGlobal from the JS global, because we know
+    // there are cases where this can happen. See bug 1094953.
     nsIGlobalObject* nativeGlobal =
       NativeGlobal(js::GetGlobalForObjectCrossCompartment(self->GetJSObject()));
+    NS_ENSURE_TRUE(nativeGlobal, NS_ERROR_FAILURE);
+    NS_ENSURE_TRUE(nativeGlobal->GetGlobalJSObject(), NS_ERROR_FAILURE);
     AutoEntryScript aes(nativeGlobal, /* aIsMainThread = */ true);
     XPCCallContext ccx(NATIVE_CALLER, aes.cx());
     if (!ccx.IsValid()) {
         *aInstancePtr = nullptr;
         return NS_NOINTERFACE;
     }
 
     // We support nsISupportsWeakReference iff the root wrapped JSObject