Bug 822691. Need to enter the right compartment before working with objects from it. r=smaug
authorBoris Zbarsky <bzbarsky@mit.edu>
Sat, 29 Dec 2012 22:13:27 -0800
changeset 126344 2618c84dd765f9645ad06ba7a015350fc54f6997
parent 126343 f06d734bcb53ddc5e15c1e2fcd3f786436b0eb42
child 126345 00ce7212c7ad9cc0f11386fd6c0343a6b17eeae9
push id2151
push userlsblakk@mozilla.com
push dateTue, 19 Feb 2013 18:06:57 +0000
treeherdermozilla-beta@4952e88741ec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs822691
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 822691. Need to enter the right compartment before working with objects from it. r=smaug
content/base/crashtests/822691.html
content/base/crashtests/crashtests.list
content/base/src/nsINode.cpp
new file mode 100644
--- /dev/null
+++ b/content/base/crashtests/822691.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function boom()
+{
+  var frameDoc = document.getElementById("f").contentDocument;
+
+  var confusedNode = frameDoc.createTextNode("y");
+  confusedNode.__proto__ = document.createTextNode("x");
+  confusedNode.setUserData("key", "data", null);
+  confusedNode.setUserData("key", "data", null);
+}
+
+</script>
+</head>
+<body onload="boom();">
+<iframe src="data:text/html,1" id="f"></iframe>
+</body>
+</html>
--- a/content/base/crashtests/crashtests.list
+++ b/content/base/crashtests/crashtests.list
@@ -114,9 +114,10 @@ load 771639.html
 load 752226-1.html
 load 752226-2.html
 HTTP(..) load xhr_abortinprogress.html
 load 786854.html
 load xhr_empty_datauri.html
 load 815477.html
 load 815500.html
 load 816253.html
+load 822691.html
 load 822723.html
--- a/content/base/src/nsINode.cpp
+++ b/content/base/src/nsINode.cpp
@@ -693,30 +693,32 @@ nsINode::SetUserData(JSContext* aCx, con
     return JS::UndefinedValue();
   }
 
   if (!oldData) {
     return JS::NullValue();
   }
 
   JS::Value result;
+  JSAutoCompartment ac(aCx, GetWrapper());
   aError = nsContentUtils::XPConnect()->VariantToJS(aCx, GetWrapper(), oldData,
                                                     &result);
   return result;
 }
 
 JS::Value
 nsINode::GetUserData(JSContext* aCx, const nsAString& aKey, ErrorResult& aError)
 {
   nsIVariant* data = GetUserData(aKey);
   if (!data) {
     return JS::NullValue();
   }
 
   JS::Value result;
+  JSAutoCompartment ac(aCx, GetWrapper());
   aError = nsContentUtils::XPConnect()->VariantToJS(aCx, GetWrapper(), data,
                                                     &result);
   return result;
 }
 
 uint16_t
 nsINode::CompareDocumentPosition(nsINode& aOtherNode) const
 {