Bug 830614. Wrapping a wrappercached WebIDL object should watch out for reentry via WrapNativeParent. r=peterv, a=lsblakk
authorBoris Zbarsky <bzbarsky@mit.edu>
Tue, 15 Jan 2013 14:04:24 -0500
changeset 123618 3f9116d9a244098690be39f6665ee10438dd8015
parent 123617 6ffa766f5cb8e771674c6d9920e803b38ab0ed30
child 123619 90a169d6ac0739d5312ace8def9b11fa36b1823f
push id3187
push userbzbarsky@mozilla.com
push dateWed, 16 Jan 2013 03:31:44 +0000
treeherdermozilla-aurora@3f9116d9a244 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerspeterv, lsblakk
bugs830614
milestone20.0a2
Bug 830614. Wrapping a wrappercached WebIDL object should watch out for reentry via WrapNativeParent. r=peterv, a=lsblakk
content/xbl/crashtests/830614-1.xul
content/xbl/crashtests/crashtests.list
dom/bindings/Codegen.py
new file mode 100644
--- /dev/null
+++ b/content/xbl/crashtests/830614-1.xul
@@ -0,0 +1,24 @@
+<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        onload="document.getElementById('trigger');">
+  <box style="display: none">
+    <bindings xmlns="http://www.mozilla.org/xbl">
+      <binding id="crash">
+        <implementation>
+          <constructor>
+            // Fetch it
+            var obj = this.getElementsByTagName("box")[0];
+            // And make it preserve its wrapper.  Note that this will happen
+            // while we're wrapping our box as the parent for id="trigger",
+            // so then we'll unwind and things will be bad.
+            if (obj) obj.expando = 5;
+          </constructor>
+        </implementation>
+      </binding>
+    </bindings>
+    <box style="-moz-binding:url(#crash);">
+      <box id="trigger"/>
+    </box>
+  </box>
+  <!-- Make sure we load our XBL before we try to run our test -->
+  <box style="-moz-binding:url(#crash);"/>
+</window>
--- a/content/xbl/crashtests/crashtests.list
+++ b/content/xbl/crashtests/crashtests.list
@@ -31,8 +31,9 @@ load 464863-1.xhtml
 load 472260-1.xhtml
 load 477878-1.html
 load 492978-1.xul
 asserts-if(Android,2) load 493123-1.xhtml
 load 495354-1.xhtml
 load 507628-1.xhtml
 load 507991-1.xhtml
 load set-field-bad-this.xhtml
+load 830614-1.xul
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -1784,16 +1784,26 @@ class CGWrapWithCacheMethod(CGAbstractMe
 
         return """  *aTriedToWrap = true;
 
   JSObject* parent = WrapNativeParent(aCx, aScope, aObject->GetParentObject());
   if (!parent) {
     return NULL;
   }
 
+  // That might have ended up wrapping us already, due to the wonders
+  // of XBL.  Check for that, and bail out as needed.  Scope so we don't
+  // collide with the "obj" we declare in CreateBindingJSObject.
+  {
+    JSObject* obj = aCache->GetWrapper();
+    if (obj) {
+      return obj;
+    }
+  }
+
   JSAutoCompartment ac(aCx, parent);
   JSObject* global = JS_GetGlobalForObject(aCx, parent);
 %s
   JSObject* proto = GetProtoObject(aCx, global);
   if (!proto) {
     return NULL;
   }