Bug 1048330 - Null-check the XBL scope in more places. r=smaug, a=sledru
authorBobby Holley <bobbyholley@gmail.com>
Tue, 05 Aug 2014 12:10:34 -0400
changeset 209327 f5df74fab22f58cf26c387d17594a6ae725af47f
parent 209326 70277dbb90713b9f14f74ca814a7a667dae1027f
child 209328 68181edc64c1fbfb7b82aa0d18c8df73dd5607aa
push id494
push userraliiev@mozilla.com
push dateMon, 25 Aug 2014 18:42:16 +0000
treeherdermozilla-release@a3cc3e46b571 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug, sledru
Bug 1048330 - Null-check the XBL scope in more places. r=smaug, a=sledru
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -1405,16 +1405,17 @@ WrapNativeParent(JSContext* cx, T* p, ns
   // If useXBLScope is true, it means that the canonical reflector for this
   // native object should live in the XBL scope.
   if (xpc::IsInContentXBLScope(parent)) {
     return parent;
   JS::Rooted<JSObject*> rootedParent(cx, parent);
   JS::Rooted<JSObject*> xblScope(cx, xpc::GetXBLScope(cx, rootedParent));
+  NS_ENSURE_TRUE(xblScope, nullptr);
   JSAutoCompartment ac(cx, xblScope);
   if (NS_WARN_IF(!JS_WrapObject(cx, &rootedParent))) {
     return nullptr;
   return rootedParent;
--- a/dom/xbl/nsBindingManager.cpp
+++ b/dom/xbl/nsBindingManager.cpp
@@ -640,16 +640,17 @@ nsBindingManager::GetBindingImplementati
       // content in order to view the full array of methods defined in the
       // binding, some of which may not be exposed on the prototype of
       // untrusted content.
       // If there's no separate XBL scope, or if the reflector itself lives in
       // the XBL scope, we'll end up with the global of the reflector, and this
       // will all be a no-op.
       JS::Rooted<JSObject*> xblScope(cx, xpc::GetXBLScopeOrGlobal(cx, jsobj));
       JSAutoCompartment ac(cx, xblScope);
       bool ok = JS_WrapObject(cx, &jsobj);
       MOZ_ASSERT_IF(js::IsWrapper(jsobj), xpc::IsXrayWrapper(jsobj));
       nsresult rv = xpConnect->WrapJSAggregatedToNative(aContent, cx,
                                                         jsobj, aIID, aResult);
       if (NS_FAILED(rv))
--- a/dom/xbl/nsXBLBinding.cpp
+++ b/dom/xbl/nsXBLBinding.cpp
@@ -921,16 +921,17 @@ GetOrCreateMapEntryForPrototype(JSContex
   // to content prototypes), and the other for class objects that live in the
   // XBL scope (prototyped to cross-compartment-wrapped content prototypes).
   const char* name = xpc::IsInContentXBLScope(proto) ? "__ContentClassObjectMap__"
                                                      : "__XBLClassObjectMap__";
   // Now, enter the XBL scope, since that's where we need to operate, and wrap
   // the proto accordingly.
   JS::Rooted<JSObject*> scope(cx, xpc::GetXBLScopeOrGlobal(cx, proto));
+  NS_ENSURE_TRUE(scope, nullptr);
   JS::Rooted<JSObject*> wrappedProto(cx, proto);
   JSAutoCompartment ac(cx, scope);
   if (!JS_WrapObject(cx, &wrappedProto)) {
     return nullptr;
   // Grab the appropriate WeakMap.
   JS::Rooted<JSObject*> map(cx, GetOrCreateClassObjectMap(cx, scope, name));
@@ -976,16 +977,17 @@ nsXBLBinding::DoInitJSClass(JSContext *c
   // Note that, now that NAC reflectors are created in the XBL scope, the
   // reflector is not necessarily same-compartment with the document. So we'll
   // end up creating a separate instance of the oddly-named XBL class object
   // and defining it as a property on the XBL scope's global. This works fine,
   // but we need to make sure never to assume that the the reflector and
   // prototype are same-compartment with the bound document.
   JS::Rooted<JSObject*> global(cx, js::GetGlobalForObjectCrossCompartment(obj));
   JS::Rooted<JSObject*> xblScope(cx, xpc::GetXBLScopeOrGlobal(cx, global));
   JS::Rooted<JSObject*> parent_proto(cx);
   if (!JS_GetPrototype(cx, obj, &parent_proto)) {
     return NS_ERROR_FAILURE;
   // Get the map entry for the parent prototype. In the one-off case that the
   // parent prototype is null, we somewhat hackily just use the WeakMap itself