Bug 905364 - Don't call into AllowXULXBLForPrincipal during SafeJSContext initialization. r=bz
authorBobby Holley <bobbyholley@gmail.com>
Fri, 06 Sep 2013 11:35:11 -0700
changeset 158921 5b1ca7188e8477f5b7007b27c448feea73e8ddee
parent 158920 1699c4e7afdc3cc6e347412c59ace7a6f8ab17c3
child 158922 56d1c3a7fd4e42546b910dfa96902b1527d3afd9
push id2961
push userlsblakk@mozilla.com
push dateMon, 28 Oct 2013 21:59:28 +0000
treeherdermozilla-beta@73ef4f13486f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 905364 - Don't call into AllowXULXBLForPrincipal during SafeJSContext initialization. r=bz In the old world, we'd be saved by initializing the SafeJSContext early enough that we'd short-circuit in the nsContentUtils::IsInitialized() check. That's not the case anymore, so let's hande this explicitly.
--- a/js/xpconnect/src/XPCJSContextStack.cpp
+++ b/js/xpconnect/src/XPCJSContextStack.cpp
@@ -120,17 +120,17 @@ SafeFinalize(JSFreeOp *fop, JSObject* ob
     SandboxPrivate* sop =
-static JSClass global_class = {
+JSClass xpc::SafeJSContextGlobalClass = {
     JS_PropertyStub, JS_DeletePropertyStub, JS_PropertyStub, JS_StrictPropertyStub,
     JS_EnumerateStub, SafeGlobalResolve, JS_ConvertStub, SafeFinalize,
     NULL, NULL, NULL, NULL, TraceXPCGlobal
@@ -156,17 +156,17 @@ XPCJSContextStack::GetSafeJSContext()
     JSAutoRequest req(mSafeJSContext);
     JS::RootedObject glob(mSafeJSContext);
     JS_SetErrorReporter(mSafeJSContext, xpc::SystemErrorReporter);
     JS::CompartmentOptions options;
-    glob = xpc::CreateGlobalObject(mSafeJSContext, &global_class, principal, options);
+    glob = xpc::CreateGlobalObject(mSafeJSContext, &SafeJSContextGlobalClass, principal, options);
     if (!glob)
     // Make sure the context is associated with a proper compartment
     // and not the default compartment.
     js::SetDefaultObjectForContext(mSafeJSContext, glob);
     // Note: make sure to set the private before calling
--- a/js/xpconnect/src/XPCWrappedNativeScope.cpp
+++ b/js/xpconnect/src/XPCWrappedNativeScope.cpp
@@ -13,16 +13,17 @@
 #include "nsPrincipal.h"
 #include "mozilla/MemoryReporting.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/dom/BindingUtils.h"
 using namespace mozilla;
 using namespace xpc;
+using namespace JS;
 static int DEBUG_TotalScopeCount;
 static int DEBUG_TotalLiveScopeCount;
 static int DEBUG_TotalMaxScopeCount;
 static int DEBUG_TotalScopeTraversalCount;
@@ -92,27 +93,34 @@ XPCWrappedNativeScope::GetNewOrUsed(JSCo
     XPCWrappedNativeScope* scope = GetObjectScope(aGlobal);
     if (!scope) {
         scope = new XPCWrappedNativeScope(cx, aGlobal);
     return scope;
 static bool
-RemoteXULForbidsXBLScope(nsIPrincipal *aPrincipal)
+RemoteXULForbidsXBLScope(nsIPrincipal *aPrincipal, HandleObject aGlobal)
-  // We end up getting called during SSM bootstrapping to create the
-  // SafeJSContext. In that case, nsContentUtils isn't ready for us.
-  //
-  // Also check for random JSD scopes that don't have a principal.
-  if (!nsContentUtils::IsInitialized() || !aPrincipal)
+  // Check for random JSD scopes that don't have a principal.
+  if (!aPrincipal)
+      return false;
+  // The SafeJSContext is lazily created, and tends to be created at really
+  // weird times, at least for xpcshell (often very early in startup or late
+  // in shutdown). Its scope isn't system principal, so if we proceeded we'd
+  // end up calling into AllowXULXBLForPrincipal, which depends on all kinds
+  // of persistent storage and permission machinery that may or not be running.
+  // We know the answer to the question here, so just short-circuit.
+  if (JS_GetClass(aGlobal) == &SafeJSContextGlobalClass)
       return false;
   // AllowXULXBLForPrincipal will return true for system principal, but we
   // don't want that here.
+  MOZ_ASSERT(nsContentUtils::IsInitialized());
   if (nsContentUtils::IsSystemPrincipal(aPrincipal))
       return false;
   // If this domain isn't whitelisted, we're done.
   if (!nsContentUtils::AllowXULXBLForPrincipal(aPrincipal))
       return false;
   // Check the pref to determine how we should behave.
@@ -156,17 +164,17 @@ XPCWrappedNativeScope::XPCWrappedNativeS
     // Attach ourselves to the compartment private.
     CompartmentPrivate *priv = EnsureCompartmentPrivate(aGlobal);
     priv->scope = this;
     // Determine whether we would allow an XBL scope in this situation.
     // In addition to being pref-controlled, we also disable XBL scopes for
     // remote XUL domains, _except_ if we have an additional pref override set.
     nsIPrincipal *principal = GetPrincipal();
-    mAllowXBLScope = !RemoteXULForbidsXBLScope(principal);
+    mAllowXBLScope = !RemoteXULForbidsXBLScope(principal, aGlobal);
     // Determine whether to use an XBL scope.
     mUseXBLScope = mAllowXBLScope;
     if (mUseXBLScope) {
       js::Class *clasp = js::GetObjectClass(mGlobalJSObject);
       mUseXBLScope = !strcmp(clasp->name, "Window") ||
                      !strcmp(clasp->name, "ChromeWindow") ||
                      !strcmp(clasp->name, "ModalContentWindow");
--- a/js/xpconnect/src/xpcprivate.h
+++ b/js/xpconnect/src/xpcprivate.h
@@ -3852,16 +3852,18 @@ inline XPCWrappedNativeScope*
 GetObjectScope(JSObject *obj)
     return EnsureCompartmentPrivate(obj)->scope;
 extern bool gDebugMode;
 extern bool gDesiredDebugMode;
+extern JSClass SafeJSContextGlobalClass;
 JSObject* NewOutObject(JSContext* cx, JSObject* scope);
 bool IsOutObject(JSContext* cx, JSObject* obj);
 nsresult HasInstance(JSContext *cx, JS::HandleObject objArg, const nsID *iid, bool *bp);
 } // namespace xpc