From 9638eeef71cb5101eb18d323ecdc4b30836a80ed Mon Sep 17 00:00:00 2001 From: Roy Tam Date: Sat, 12 Jan 2019 18:20:33 +0800 Subject: [PATCH] reverting these changes in order to fix crash for now: - Bug 1136925 part 1. Stop passing a parent to JS_CloneObject (02806f3cb) - Bug 1136925 part 2. Stop passing a parent to Wrapper::New. (1d51cbd34) - Bug 1136925 part 3. Stop passing parents to js::NewProxyObject. (dc13db8da) - Bug 1136925 part 4. Stop passing parents to ProxyObject::New. (e2d30e340) --- dom/base/WindowNamedPropertiesHandler.cpp | 1 + dom/base/nsGlobalWindow.cpp | 8 +++----- dom/bindings/BindingUtils.cpp | 2 +- dom/bindings/BindingUtils.h | 2 +- js/ipc/WrapperOwner.cpp | 1 + js/public/Proxy.h | 2 +- js/src/jsapi-tests/testBug604087.cpp | 9 +++++---- .../testSetPropertyIgnoringNamedGetter.cpp | 2 +- js/src/jsapi.h | 3 ++- js/src/jscompartment.cpp | 2 +- js/src/jsfriendapi.cpp | 4 ++-- js/src/jsfriendapi.h | 3 ++- js/src/jsobj.cpp | 6 +++--- js/src/jsobj.h | 2 +- js/src/jswrapper.h | 5 +++-- js/src/proxy/Proxy.cpp | 5 +++-- js/src/proxy/ScriptedDirectProxyHandler.cpp | 2 +- js/src/proxy/ScriptedIndirectProxyHandler.cpp | 14 ++++++++++---- js/src/proxy/Wrapper.cpp | 11 +++++++---- js/src/shell/js.cpp | 2 +- js/src/vm/ProxyObject.cpp | 6 ++++-- js/src/vm/ProxyObject.h | 3 ++- js/src/vm/ScopeObject.cpp | 2 +- js/xpconnect/src/Sandbox.cpp | 4 ++-- js/xpconnect/wrappers/WrapperFactory.cpp | 9 ++++++--- js/xpconnect/wrappers/WrapperFactory.h | 3 ++- 26 files changed, 67 insertions(+), 46 deletions(-) diff --git a/dom/base/WindowNamedPropertiesHandler.cpp b/dom/base/WindowNamedPropertiesHandler.cpp index a2d4dc3ef0..a2402e9dd6 100644 --- a/dom/base/WindowNamedPropertiesHandler.cpp +++ b/dom/base/WindowNamedPropertiesHandler.cpp @@ -280,6 +280,7 @@ WindowNamedPropertiesHandler::Create(JSContext* aCx, options.setClass(&WindowNamedPropertiesClass.mBase); return js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(), JS::NullHandleValue, aProto, + js::GetGlobalForObjectCrossCompartment(aProto), options); } diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp index d16e49d62d..0694926963 100644 --- a/dom/base/nsGlobalWindow.cpp +++ b/dom/base/nsGlobalWindow.cpp @@ -1059,15 +1059,13 @@ const nsChromeOuterWindowProxy nsChromeOuterWindowProxy::singleton; static JSObject* -NewOuterWindowProxy(JSContext *cx, JS::Handle global, bool isChrome) +NewOuterWindowProxy(JSContext *cx, JS::Handle parent, bool isChrome) { - JSAutoCompartment ac(cx, global); - MOZ_ASSERT(js::GetGlobalForObjectCrossCompartment(global) == global); - + JSAutoCompartment ac(cx, parent); js::WrapperOptions options; options.setClass(&OuterWindowProxyClass); options.setSingleton(true); - JSObject *obj = js::Wrapper::New(cx, global, + JSObject *obj = js::Wrapper::New(cx, parent, parent, isChrome ? &nsChromeOuterWindowProxy::singleton : &nsOuterWindowProxy::singleton, options); diff --git a/dom/bindings/BindingUtils.cpp b/dom/bindings/BindingUtils.cpp index 9b164d5f63..26fbb9d963 100644 --- a/dom/bindings/BindingUtils.cpp +++ b/dom/bindings/BindingUtils.cpp @@ -1831,7 +1831,7 @@ ReparentWrapper(JSContext* aCx, JS::Handle aObjArg) return NS_ERROR_FAILURE; } - JS::Rooted newobj(aCx, JS_CloneObject(aCx, aObj, proto)); + JS::Rooted newobj(aCx, JS_CloneObject(aCx, aObj, proto, newParent)); if (!newobj) { return NS_ERROR_FAILURE; } diff --git a/dom/bindings/BindingUtils.h b/dom/bindings/BindingUtils.h index f735474f11..a0cc11b0cd 100644 --- a/dom/bindings/BindingUtils.h +++ b/dom/bindings/BindingUtils.h @@ -2795,7 +2795,7 @@ public: options.setClass(aClass); JS::Rooted proxyPrivateVal(aCx, JS::PrivateValue(aNative)); aReflector.set(js::NewProxyObject(aCx, aHandler, proxyPrivateVal, aProto, - options)); + /* parent= */nullptr, options)); if (aReflector) { mNative = aNative; mReflector = aReflector; diff --git a/js/ipc/WrapperOwner.cpp b/js/ipc/WrapperOwner.cpp index 0eeb76a345..0b2410b3d7 100644 --- a/js/ipc/WrapperOwner.cpp +++ b/js/ipc/WrapperOwner.cpp @@ -1020,6 +1020,7 @@ WrapperOwner::fromRemoteObjectVariant(JSContext* cx, RemoteObject objVar) &CPOWProxyHandler::singleton, v, nullptr, + junkScope, options); if (!obj) return nullptr; diff --git a/js/public/Proxy.h b/js/public/Proxy.h index 73b058fc55..0cafae92d6 100644 --- a/js/public/Proxy.h +++ b/js/public/Proxy.h @@ -582,7 +582,7 @@ class MOZ_STACK_CLASS ProxyOptions { JS_FRIEND_API(JSObject*) NewProxyObject(JSContext* cx, const BaseProxyHandler* handler, HandleValue priv, - JSObject* proto, const ProxyOptions& options = ProxyOptions()); + JSObject* proto, JSObject* parent, const ProxyOptions& options = ProxyOptions()); JSObject* RenewProxyObject(JSContext* cx, JSObject* obj, BaseProxyHandler* handler, Value priv); diff --git a/js/src/jsapi-tests/testBug604087.cpp b/js/src/jsapi-tests/testBug604087.cpp index c9c41509a6..47723a8964 100644 --- a/js/src/jsapi-tests/testBug604087.cpp +++ b/js/src/jsapi-tests/testBug604087.cpp @@ -44,9 +44,10 @@ PreWrap(JSContext* cx, JS::HandleObject scope, JS::HandleObject obj, } static JSObject* -Wrap(JSContext* cx, JS::HandleObject existing, JS::HandleObject obj) +Wrap(JSContext* cx, JS::HandleObject existing, JS::HandleObject obj, + JS::HandleObject parent) { - return js::Wrapper::New(cx, obj, &js::CrossCompartmentWrapper::singleton); + return js::Wrapper::New(cx, obj, parent, &js::CrossCompartmentWrapper::singleton); } static const JSWrapObjectCallbacks WrapObjectCallbacks = { @@ -59,7 +60,7 @@ BEGIN_TEST(testBug604087) js::WrapperOptions options; options.setClass(&OuterWrapperClass); options.setSingleton(true); - JS::RootedObject outerObj(cx, js::Wrapper::New(cx, global, &js::Wrapper::singleton, options)); + JS::RootedObject outerObj(cx, js::Wrapper::New(cx, global, global, &js::Wrapper::singleton, options)); JS::RootedObject compartment2(cx, JS_NewGlobalObject(cx, getGlobalClass(), nullptr, JS::FireOnNewGlobalHook)); JS::RootedObject compartment3(cx, JS_NewGlobalObject(cx, getGlobalClass(), nullptr, JS::FireOnNewGlobalHook)); JS::RootedObject compartment4(cx, JS_NewGlobalObject(cx, getGlobalClass(), nullptr, JS::FireOnNewGlobalHook)); @@ -80,7 +81,7 @@ BEGIN_TEST(testBug604087) JS::RootedObject next(cx); { JSAutoCompartment ac(cx, compartment2); - next = js::Wrapper::New(cx, compartment2, &js::Wrapper::singleton, options); + next = js::Wrapper::New(cx, compartment2, compartment2, &js::Wrapper::singleton, options); CHECK(next); } diff --git a/js/src/jsapi-tests/testSetPropertyIgnoringNamedGetter.cpp b/js/src/jsapi-tests/testSetPropertyIgnoringNamedGetter.cpp index 9d2769b786..7cd076fb96 100644 --- a/js/src/jsapi-tests/testSetPropertyIgnoringNamedGetter.cpp +++ b/js/src/jsapi-tests/testSetPropertyIgnoringNamedGetter.cpp @@ -72,7 +72,7 @@ BEGIN_TEST(testSetPropertyIgnoringNamedGetter_direct) EVAL("({})", &targetv); RootedObject proxyObj(cx, NewProxyObject(cx, &customProxyHandler, targetv, - &protov.toObject(), ProxyOptions())); + &protov.toObject(), global, ProxyOptions())); CHECK(proxyObj); CHECK(JS_DefineProperty(cx, global, "target", targetv, 0)); diff --git a/js/src/jsapi.h b/js/src/jsapi.h index 3f249e0207..673aebdd9a 100644 --- a/js/src/jsapi.h +++ b/js/src/jsapi.h @@ -730,7 +730,8 @@ typedef bool * guaranteed not to wrap a function. */ typedef JSObject* -(* JSWrapObjectCallback)(JSContext* cx, JS::HandleObject existing, JS::HandleObject obj); +(* JSWrapObjectCallback)(JSContext* cx, JS::HandleObject existing, JS::HandleObject obj, + JS::HandleObject parent); /* * Callback used by the wrap hook to ask the embedding to prepare an object diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp index 3fb67b909c..3fb40bfa6b 100644 --- a/js/src/jscompartment.cpp +++ b/js/src/jscompartment.cpp @@ -425,7 +425,7 @@ JSCompartment::wrap(JSContext* cx, MutableHandleObject obj, HandleObject existin } } - obj.set(cb->wrap(cx, existing, obj)); + obj.set(cb->wrap(cx, existing, obj, global)); if (!obj) return false; diff --git a/js/src/jsfriendapi.cpp b/js/src/jsfriendapi.cpp index 7575d5c549..f9e773b193 100644 --- a/js/src/jsfriendapi.cpp +++ b/js/src/jsfriendapi.cpp @@ -606,10 +606,10 @@ js::StringToLinearStringSlow(JSContext* cx, JSString* str) } JS_FRIEND_API(JSObject*) -JS_CloneObject(JSContext* cx, HandleObject obj, HandleObject protoArg) +JS_CloneObject(JSContext* cx, HandleObject obj, HandleObject protoArg, HandleObject parent) { Rooted proto(cx, TaggedProto(protoArg.get())); - return CloneObject(cx, obj, proto); + return CloneObject(cx, obj, proto, parent); } #ifdef DEBUG diff --git a/js/src/jsfriendapi.h b/js/src/jsfriendapi.h index 9dc3ab5436..c06d0db93a 100644 --- a/js/src/jsfriendapi.h +++ b/js/src/jsfriendapi.h @@ -115,7 +115,8 @@ extern JS_FRIEND_API(JSObject*) JS_ObjectToOuterObject(JSContext* cx, JS::HandleObject obj); extern JS_FRIEND_API(JSObject*) -JS_CloneObject(JSContext* cx, JS::HandleObject obj, JS::HandleObject proto); +JS_CloneObject(JSContext* cx, JS::HandleObject obj, JS::HandleObject proto, + JS::HandleObject parent); extern JS_FRIEND_API(JSString*) JS_BasicObjectToString(JSContext* cx, JS::HandleObject obj); diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp index 202d53c821..a93818bfc5 100644 --- a/js/src/jsobj.cpp +++ b/js/src/jsobj.cpp @@ -1766,7 +1766,7 @@ CopyProxyObject(JSContext* cx, Handle from, Handle t } JSObject* -js::CloneObject(JSContext* cx, HandleObject obj, Handle proto) +js::CloneObject(JSContext* cx, HandleObject obj, Handle proto, HandleObject parent) { if (!obj->isNative() && !obj->is()) { JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, @@ -1776,7 +1776,7 @@ js::CloneObject(JSContext* cx, HandleObject obj, Handle proto) RootedObject clone(cx); if (obj->isNative()) { - clone = NewObjectWithGivenTaggedProto(cx, obj->getClass(), proto, NullPtr()); + clone = NewObjectWithGivenTaggedProto(cx, obj->getClass(), proto, parent); if (!clone) return nullptr; @@ -1792,7 +1792,7 @@ js::CloneObject(JSContext* cx, HandleObject obj, Handle proto) ProxyOptions options; options.setClass(obj->getClass()); - clone = ProxyObject::New(cx, GetProxyHandler(obj), JS::NullHandleValue, proto, options); + clone = ProxyObject::New(cx, GetProxyHandler(obj), JS::NullHandleValue, proto, parent, options); if (!clone) return nullptr; diff --git a/js/src/jsobj.h b/js/src/jsobj.h index eead470a57..06b3bf82e9 100644 --- a/js/src/jsobj.h +++ b/js/src/jsobj.h @@ -1140,7 +1140,7 @@ extern JSObject* CreateThis(JSContext* cx, const js::Class* clasp, js::HandleObject callee); extern JSObject* -CloneObject(JSContext* cx, HandleObject obj, Handle proto); +CloneObject(JSContext* cx, HandleObject obj, Handle proto, HandleObject parent); extern NativeObject* DeepCloneObjectLiteral(JSContext* cx, HandleNativeObject obj, NewObjectKind newKind = GenericObject); diff --git a/js/src/jswrapper.h b/js/src/jswrapper.h index 59017d5011..ea530fa603 100644 --- a/js/src/jswrapper.h +++ b/js/src/jswrapper.h @@ -69,7 +69,7 @@ class JS_FRIEND_API(Wrapper) : public DirectProxyHandler virtual bool defaultValue(JSContext* cx, HandleObject obj, JSType hint, MutableHandleValue vp) const override; - static JSObject* New(JSContext* cx, JSObject* obj, const Wrapper* handler, + static JSObject* New(JSContext* cx, JSObject* obj, JSObject* parent, const Wrapper* handler, const WrapperOptions& options = WrapperOptions()); static JSObject* Renew(JSContext* cx, JSObject* existing, JSObject* obj, const Wrapper* handler); @@ -217,7 +217,8 @@ typedef SecurityWrapper SameCompartmentSecurityWrapper; typedef SecurityWrapper CrossCompartmentSecurityWrapper; extern JSObject* -TransparentObjectWrapper(JSContext* cx, HandleObject existing, HandleObject obj); +TransparentObjectWrapper(JSContext* cx, HandleObject existing, HandleObject obj, + HandleObject parent); inline bool IsWrapper(JSObject* obj) diff --git a/js/src/proxy/Proxy.cpp b/js/src/proxy/Proxy.cpp index a945f15c0a..1f06825a98 100644 --- a/js/src/proxy/Proxy.cpp +++ b/js/src/proxy/Proxy.cpp @@ -728,14 +728,15 @@ const Class* const js::ProxyClassPtr = &js::ProxyObject::class_; JS_FRIEND_API(JSObject*) js::NewProxyObject(JSContext* cx, const BaseProxyHandler* handler, HandleValue priv, JSObject* proto_, - const ProxyOptions& options) + JSObject* parent_, const ProxyOptions& options) { if (options.lazyProto()) { MOZ_ASSERT(!proto_); proto_ = TaggedProto::LazyProto; } - return ProxyObject::New(cx, handler, priv, TaggedProto(proto_), options); + return ProxyObject::New(cx, handler, priv, TaggedProto(proto_), parent_, + options); } void diff --git a/js/src/proxy/ScriptedDirectProxyHandler.cpp b/js/src/proxy/ScriptedDirectProxyHandler.cpp index 6685b80583..fc0af8deb5 100644 --- a/js/src/proxy/ScriptedDirectProxyHandler.cpp +++ b/js/src/proxy/ScriptedDirectProxyHandler.cpp @@ -1206,7 +1206,7 @@ NewScriptedProxy(JSContext* cx, CallArgs& args, const char* callerName) RootedValue priv(cx, ObjectValue(*target)); JSObject* proxy_ = NewProxyObject(cx, &ScriptedDirectProxyHandler::singleton, - priv, TaggedProto::LazyProto); + priv, TaggedProto::LazyProto, cx->global()); if (!proxy_) return false; Rooted proxy(cx, &proxy_->as()); diff --git a/js/src/proxy/ScriptedIndirectProxyHandler.cpp b/js/src/proxy/ScriptedIndirectProxyHandler.cpp index 93661c2b00..c883c2d577 100644 --- a/js/src/proxy/ScriptedIndirectProxyHandler.cpp +++ b/js/src/proxy/ScriptedIndirectProxyHandler.cpp @@ -406,16 +406,19 @@ js::proxy_create(JSContext* cx, unsigned argc, Value* vp) JSObject* handler = NonNullObject(cx, args[0]); if (!handler) return false; - JSObject* proto; + JSObject* proto, *parent = nullptr; if (args.get(1).isObject()) { proto = &args[1].toObject(); + parent = proto->getParent(); } else { MOZ_ASSERT(IsFunctionObject(&args.callee())); proto = nullptr; } + if (!parent) + parent = args.callee().getParent(); RootedValue priv(cx, ObjectValue(*handler)); JSObject* proxy = NewProxyObject(cx, &ScriptedIndirectProxyHandler::singleton, - priv, proto); + priv, proto, parent); if (!proxy) return false; @@ -435,9 +438,12 @@ js::proxy_createFunction(JSContext* cx, unsigned argc, Value* vp) RootedObject handler(cx, NonNullObject(cx, args[0])); if (!handler) return false; - RootedObject proto(cx, args.callee().global().getOrCreateFunctionPrototype(cx)); + RootedObject proto(cx), parent(cx); + parent = args.callee().getParent(); + proto = parent->global().getOrCreateFunctionPrototype(cx); if (!proto) return false; + parent = proto->getParent(); RootedObject call(cx, ValueToCallable(cx, args[1], args.length() - 2)); if (!call) @@ -463,7 +469,7 @@ js::proxy_createFunction(JSContext* cx, unsigned argc, Value* vp) RootedValue priv(cx, ObjectValue(*handler)); JSObject* proxy = NewProxyObject(cx, &CallableScriptedIndirectProxyHandler::singleton, - priv, proto); + priv, proto, parent); if (!proxy) return false; proxy->as().setExtra(0, ObjectValue(*ccHolder)); diff --git a/js/src/proxy/Wrapper.cpp b/js/src/proxy/Wrapper.cpp index 86b854b862..fed088b31e 100644 --- a/js/src/proxy/Wrapper.cpp +++ b/js/src/proxy/Wrapper.cpp @@ -33,11 +33,13 @@ Wrapper::defaultValue(JSContext* cx, HandleObject proxy, JSType hint, MutableHan } JSObject* -Wrapper::New(JSContext* cx, JSObject* obj, const Wrapper* handler, +Wrapper::New(JSContext* cx, JSObject* obj, JSObject* parent, const Wrapper* handler, const WrapperOptions& options) { + MOZ_ASSERT(parent); + RootedValue priv(cx, ObjectValue(*obj)); - return NewProxyObject(cx, handler, priv, options.proto(), options); + return NewProxyObject(cx, handler, priv, options.proto(), parent, options); } JSObject* @@ -128,11 +130,12 @@ JSObject* Wrapper::defaultProto = TaggedProto::LazyProto; /* Compartments. */ extern JSObject* -js::TransparentObjectWrapper(JSContext* cx, HandleObject existing, HandleObject obj) +js::TransparentObjectWrapper(JSContext* cx, HandleObject existing, HandleObject obj, + HandleObject parent) { // Allow wrapping outer window proxies. MOZ_ASSERT(!obj->is() || obj->getClass()->ext.innerObject); - return Wrapper::New(cx, obj, &CrossCompartmentWrapper::singleton); + return Wrapper::New(cx, obj, parent, &CrossCompartmentWrapper::singleton); } ErrorCopier::~ErrorCopier() diff --git a/js/src/shell/js.cpp b/js/src/shell/js.cpp index dc4703e8c6..191ab90939 100644 --- a/js/src/shell/js.cpp +++ b/js/src/shell/js.cpp @@ -3950,7 +3950,7 @@ WrapWithProto(JSContext* cx, unsigned argc, jsval* vp) WrapperOptions options(cx); options.setProto(proto.toObjectOrNull()); - JSObject* wrapped = Wrapper::New(cx, &obj.toObject(), + JSObject* wrapped = Wrapper::New(cx, &obj.toObject(), &obj.toObject().global(), &Wrapper::singletonWithPrototype, options); if (!wrapped) return false; diff --git a/js/src/vm/ProxyObject.cpp b/js/src/vm/ProxyObject.cpp index 64356e9779..8211effc15 100644 --- a/js/src/vm/ProxyObject.cpp +++ b/js/src/vm/ProxyObject.cpp @@ -17,14 +17,16 @@ using namespace js; /* static */ ProxyObject* ProxyObject::New(JSContext* cx, const BaseProxyHandler* handler, HandleValue priv, TaggedProto proto_, - const ProxyOptions& options) + JSObject* parent_, const ProxyOptions& options) { Rooted proto(cx, proto_); + RootedObject parent(cx, parent_); const Class* clasp = options.clasp(); MOZ_ASSERT(isValidProxyClass(clasp)); MOZ_ASSERT_IF(proto.isObject(), cx->compartment() == proto.toObject()->compartment()); + MOZ_ASSERT_IF(parent, cx->compartment() == parent->compartment()); /* * Eagerly mark properties unknown for proxies, so we don't try to track @@ -51,7 +53,7 @@ ProxyObject::New(JSContext* cx, const BaseProxyHandler* handler, HandleValue pri // Note: this will initialize the object's |data| to strange values, but we // will immediately overwrite those below. - RootedObject obj(cx, NewObjectWithGivenTaggedProto(cx, clasp, proto, NullPtr(), allocKind, + RootedObject obj(cx, NewObjectWithGivenTaggedProto(cx, clasp, proto, parent, allocKind, newKind)); if (!obj) { js_free(values); diff --git a/js/src/vm/ProxyObject.h b/js/src/vm/ProxyObject.h index 1044573464..4049e99587 100644 --- a/js/src/vm/ProxyObject.h +++ b/js/src/vm/ProxyObject.h @@ -28,7 +28,8 @@ class ProxyObject : public JSObject public: static ProxyObject* New(JSContext* cx, const BaseProxyHandler* handler, HandleValue priv, - TaggedProto proto_, const ProxyOptions& options); + TaggedProto proto_, JSObject* parent_, + const ProxyOptions& options); const Value& private_() { return GetProxyPrivate(this); diff --git a/js/src/vm/ScopeObject.cpp b/js/src/vm/ScopeObject.cpp index 4aa5ce9b3a..256615593d 100644 --- a/js/src/vm/ScopeObject.cpp +++ b/js/src/vm/ScopeObject.cpp @@ -1818,7 +1818,7 @@ DebugScopeObject::create(JSContext* cx, ScopeObject& scope, HandleObject enclosi MOZ_ASSERT(scope.compartment() == cx->compartment()); RootedValue priv(cx, ObjectValue(scope)); JSObject* obj = NewProxyObject(cx, &DebugScopeProxy::singleton, priv, - nullptr /* proto */); + nullptr /* proto */, &scope.global()); if (!obj) return nullptr; diff --git a/js/xpconnect/src/Sandbox.cpp b/js/xpconnect/src/Sandbox.cpp index dc022668ff..e604298c3b 100644 --- a/js/xpconnect/src/Sandbox.cpp +++ b/js/xpconnect/src/Sandbox.cpp @@ -626,7 +626,7 @@ WrapCallable(JSContext* cx, HandleObject callable, HandleObject sandboxProtoProx RootedValue priv(cx, ObjectValue(*callable)); JSObject *obj = js::NewProxyObject(cx, &xpc::sandboxCallableProxyHandler, - priv, nullptr); + priv, nullptr, nullptr); if (obj) { js::SetProxyExtra(obj, SandboxCallableProxyHandler::SandboxProxySlot, ObjectValue(*sandboxProtoProxy)); @@ -955,7 +955,7 @@ xpc::CreateSandboxObject(JSContext* cx, MutableHandleValue vp, nsISupports* prin // of this-binding for methods. RootedValue priv(cx, ObjectValue(*options.proto)); options.proto = js::NewProxyObject(cx, &xpc::sandboxProxyHandler, - priv, nullptr); + priv, nullptr, nullptr); if (!options.proto) return NS_ERROR_OUT_OF_MEMORY; } diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp index fbe811143f..829b1579c9 100644 --- a/js/xpconnect/wrappers/WrapperFactory.cpp +++ b/js/xpconnect/wrappers/WrapperFactory.cpp @@ -78,7 +78,9 @@ WrapperFactory::CreateXrayWaiver(JSContext* cx, HandleObject obj) XPCWrappedNativeScope* scope = ObjectScope(obj); JSAutoCompartment ac(cx, obj); - JSObject* waiver = Wrapper::New(cx, obj, &XrayWaiver); + JSObject* waiver = Wrapper::New(cx, obj, + JS_GetGlobalForObject(cx, obj), + &XrayWaiver); if (!waiver) return nullptr; @@ -380,7 +382,8 @@ SelectAddonWrapper(JSContext* cx, HandleObject obj, const Wrapper* wrapper) } JSObject* -WrapperFactory::Rewrap(JSContext* cx, HandleObject existing, HandleObject obj) +WrapperFactory::Rewrap(JSContext* cx, HandleObject existing, HandleObject obj, + HandleObject parent) { MOZ_ASSERT(!IsWrapper(obj) || GetProxyHandler(obj) == &XrayWaiver || @@ -501,7 +504,7 @@ WrapperFactory::Rewrap(JSContext* cx, HandleObject existing, HandleObject obj) if (existing) return Wrapper::Renew(cx, existing, obj, wrapper); - return Wrapper::New(cx, obj, wrapper); + return Wrapper::New(cx, obj, parent, wrapper); } // Call WaiveXrayAndWrap when you have a JS object that you don't want to be diff --git a/js/xpconnect/wrappers/WrapperFactory.h b/js/xpconnect/wrappers/WrapperFactory.h index 566ae0caa0..86b531eee5 100644 --- a/js/xpconnect/wrappers/WrapperFactory.h +++ b/js/xpconnect/wrappers/WrapperFactory.h @@ -46,7 +46,8 @@ class WrapperFactory { // Rewrap an object that is about to cross compartment boundaries. static JSObject* Rewrap(JSContext* cx, JS::HandleObject existing, - JS::HandleObject obj); + JS::HandleObject obj, + JS::HandleObject parent); // Wrap wrapped object into a waiver wrapper and then re-wrap it. static bool WaiveXrayAndWrap(JSContext* cx, JS::MutableHandleValue vp);