Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old prototype swizzling for custom element; r=smaug
authorEdgar Chen <echen@mozilla.com>
Mon, 16 Oct 2017 10:14:56 +0800
changeset 446693 0104943883497aad91b800752a671d58e450675d
parent 446692 1d0330d6d96fcce081c477914219061efe601bb8
child 446694 251110eaf3c43520f1ba7c5d452b4a2c099e6cc9
push id1648
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 12:45:47 +0000
treeherdermozilla-release@cbb9688c2eeb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1396620
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1396620 - Part 2: Fix compartment mismatch crash when doing old prototype swizzling for custom element; r=smaug MozReview-Commit-ID: GMxikyKJ54A
dom/base/Element.cpp
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -522,16 +522,20 @@ Element::WrapObject(JSContext *aCx, JS::
     // Custom element prototype swizzling.
     CustomElementData* data = GetCustomElementData();
     if (data) {
       // If this is a registered custom element then fix the prototype.
       nsContentUtils::GetCustomPrototype(OwnerDoc(), NodeInfo()->NamespaceID(),
                                          data->GetCustomElementType(), &customProto);
       if (customProto &&
           NodePrincipal()->SubsumesConsideringDomain(nsContentUtils::ObjectPrincipal(customProto))) {
+        // The custom element prototype could be in different compartment.
+        if (!JS_WrapObject(aCx, &customProto)) {
+          return nullptr;
+        }
         // Just go ahead and create with the right proto up front.  Set
         // customProto to null to flag that we don't need to do any post-facto
         // proto fixups here.
         givenProto = customProto;
         customProto = nullptr;
       }
     }
   }