Bug 1321835. Assert that the givenProto argument for binding wrap methods is in the right compartment. r=peterv
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 08 Dec 2016 16:41:45 -1000
changeset 325475 deadb8cb73efabd29a9bb357319c7caddfd212be
parent 325474 6395d5edfd1577daeaa0786edf98ec9977c47e51
child 325476 698bbf4f2e26f4d7ad40961cfaa0f12bb882527f
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewerspeterv
bugs1321835
milestone53.0a1
Bug 1321835. Assert that the givenProto argument for binding wrap methods is in the right compartment. r=peterv
dom/bindings/BindingUtils.h
dom/bindings/Codegen.py
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -892,16 +892,17 @@ AssertReflectorHasGivenProto(JSContext* 
 
 template <class T, GetOrCreateReflectorWrapBehavior wrapBehavior>
 MOZ_ALWAYS_INLINE bool
 DoGetOrCreateDOMReflector(JSContext* cx, T* value,
                           JS::Handle<JSObject*> givenProto,
                           JS::MutableHandle<JS::Value> rval)
 {
   MOZ_ASSERT(value);
+  MOZ_ASSERT_IF(givenProto, js::IsObjectInContextCompartment(givenProto, cx));
   // We can get rid of this when we remove support for hasXPConnectImpls.
   bool couldBeDOMBinding = CouldBeDOMBinding(value);
   JSObject* obj = value->GetWrapper();
   if (obj) {
 #ifdef DEBUG
     AssertReflectorHasGivenProto(cx, obj, givenProto);
     // Have to reget obj because AssertReflectorHasGivenProto can
     // trigger gc so the pointer may now be invalid.
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -3626,16 +3626,17 @@ class CGWrapWithCacheMethod(CGAbstractMe
             aCache->ReleaseWrapper(aObject);
             aCache->ClearWrapper();
             return false;
             """)
 
         return fill(
             """
             $*{assertInheritance}
+            MOZ_ASSERT_IF(aGivenProto, js::IsObjectInContextCompartment(aGivenProto, aCx));
             MOZ_ASSERT(!aCache->GetWrapper(),
                        "You should probably not be using Wrap() directly; use "
                        "GetOrCreateDOMReflector instead");
 
             MOZ_ASSERT(ToSupportsIsOnPrimaryInheritanceChain(aObject, aCache),
                        "nsISupports must be on our primary inheritance chain");
 
             JS::Rooted<JSObject*> global(aCx, FindAssociatedGlobal(aCx, aObject->GetParentObject()));
@@ -3726,16 +3727,17 @@ class CGWrapNonWrapperCacheMethod(CGAbst
         self.properties = properties
 
     def definition_body(self):
         failureCode = "return false;\n"
 
         return fill(
             """
             $*{assertions}
+            MOZ_ASSERT_IF(aGivenProto, js::IsObjectInContextCompartment(aGivenProto, aCx));
 
             JS::Rooted<JSObject*> global(aCx, JS::CurrentGlobalOrNull(aCx));
             $*{declareProto}
 
             $*{createObject}
 
             $*{unforgeable}