Bug 644325 - Enter the listener's compartment sooner, and use the correct scope for wrapping to avoid compartment mismatches. r=mrbkap a=legneato
authorJosh Matthews <josh@joshmatthews.net>
Thu, 12 May 2011 11:26:05 +0100
changeset 70364 045847071b97839ae0eb8747a60ec03d9f4fcdc0
parent 70363 866ac43c5b8b8e39933f75fc5241e814cab4cfb1
child 70365 727ffd26278ddbea25ae3e97e5341e95dbbe0716
push id196
push userjosh@joshmatthews.net
push dateThu, 30 Jun 2011 21:43:51 +0000
treeherdermozilla-aurora@727ffd26278d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap, legneato
bugs644325
milestone6.0a2
Bug 644325 - Enter the listener's compartment sooner, and use the correct scope for wrapping to avoid compartment mismatches. r=mrbkap a=legneato
content/base/src/nsFrameMessageManager.cpp
--- a/content/base/src/nsFrameMessageManager.cpp
+++ b/content/base/src/nsFrameMessageManager.cpp
@@ -354,23 +354,27 @@ nsFrameMessageManager::ReceiveMessage(ns
         if (!object) {
           continue;
         }
         nsCxPusher pusher;
         NS_ENSURE_STATE(pusher.Push(ctx, PR_FALSE));
 
         JSAutoRequest ar(ctx);
 
+        JSAutoEnterCompartment ac;
+        if (!ac.enter(ctx, object))
+          return NS_ERROR_FAILURE;
+
         // The parameter for the listener function.
         JSObject* param = JS_NewObject(ctx, NULL, NULL, NULL);
         NS_ENSURE_TRUE(param, NS_ERROR_OUT_OF_MEMORY);
 
         jsval targetv;
         nsContentUtils::WrapNative(ctx,
-                                   JS_GetGlobalObject(ctx),
+                                   JS_GetGlobalForObject(ctx, object),
                                    aTarget, &targetv);
 
         // To keep compatibility with e10s message manager,
         // define empty objects array.
         if (!aObjectsArray) {
           // Because we want JS messages to have always the same properties,
           // create array even if len == 0.
           aObjectsArray = JS_NewArrayObject(ctx, 0, NULL);
@@ -397,37 +401,32 @@ nsFrameMessageManager::ReceiveMessage(ns
         JS_DefineProperty(ctx, param, "sync",
                           BOOLEAN_TO_JSVAL(aSync), NULL, NULL, JSPROP_ENUMERATE);
         JS_DefineProperty(ctx, param, "json", json, NULL, NULL, JSPROP_ENUMERATE);
         JS_DefineProperty(ctx, param, "objects", OBJECT_TO_JSVAL(aObjectsArray),
                           NULL, NULL, JSPROP_ENUMERATE);
 
         jsval thisValue = JSVAL_VOID;
 
-        JSAutoEnterCompartment ac;
-
-        if (!ac.enter(ctx, object))
-          return NS_ERROR_FAILURE;
-
         jsval funval = JSVAL_VOID;
         if (JS_ObjectIsFunction(ctx, object)) {
           // If the listener is a JS function:
           funval = OBJECT_TO_JSVAL(object);
 
           // A small hack to get 'this' value right on content side where
           // messageManager is wrapped in TabChildGlobal.
           nsCOMPtr<nsISupports> defaultThisValue;
           if (mChrome) {
             defaultThisValue =
               do_QueryInterface(static_cast<nsIContentFrameMessageManager*>(this));
           } else {
             defaultThisValue = aTarget;
           }
           nsContentUtils::WrapNative(ctx,
-                                     JS_GetGlobalObject(ctx),
+                                     JS_GetGlobalForObject(ctx, object),
                                      defaultThisValue, &thisValue);
         } else {
           // If the listener is a JS object which has receiveMessage function:
           NS_ENSURE_STATE(JS_GetProperty(ctx, object, "receiveMessage",
                                          &funval) &&
                           JSVAL_IS_OBJECT(funval) &&
                           !JSVAL_IS_NULL(funval));
           JSObject* funobject = JSVAL_TO_OBJECT(funval);