Bug 959926. Fix some miscellaneous unsafe pointer hazards. r=terrence

2024-09-13 09:24:08 -07:00 · 2014-01-15 14:39:08 -05:00 · 2014-01-15 14:39:08 -05:00 · 155178df6b
commit 155178df6b
parent b6f0a2657c
5 changed files with 20 additions and 7 deletions
--- a/dom/base/nsJSEnvironment.cpp
+++ b/dom/base/nsJSEnvironment.cpp
@ -3305,7 +3305,9 @@ NS_IMETHODIMP nsJSArgArray::QueryElementAt(uint32_t index, const nsIID & uuid, v
    return NS_ERROR_INVALID_ARG;

  if (uuid.Equals(NS_GET_IID(nsIVariant)) || uuid.Equals(NS_GET_IID(nsISupports))) {
-    return nsContentUtils::XPConnect()->JSToVariant(mContext, mArgv[index],
+    // Have to copy a Heap into a Rooted to work with it.
+    JS::Rooted<JS::Value> val(mContext, mArgv[index]);
+    return nsContentUtils::XPConnect()->JSToVariant(mContext, val,
                                                    (nsIVariant **)result);
  }
  NS_WARNING("nsJSArgArray only handles nsIVariant");
--- a/js/jsd/jsd_high.cpp
+++ b/js/jsd/jsd_high.cpp
@ -360,7 +360,7 @@ jsd_DebugErrorHook(JSContext *cx, const char *message,
            return false;
        case JSD_ERROR_REPORTER_DEBUG:
        {
-            jsval rval;
+            JS::RootedValue rval(cx);
            JSD_ExecutionHookProc   hook;
            void*                   hookData;

@ -371,7 +371,7 @@ jsd_DebugErrorHook(JSContext *cx, const char *message,
            JSD_UNLOCK();

            jsd_CallExecutionHook(jsdc, cx, JSD_HOOK_DEBUG_REQUESTED,
-                                  hook, hookData, &rval);
+                                  hook, hookData, rval.address());
            /* XXX Should make this dependent on ExecutionHook retval */
            return true;
        }
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@ -7426,11 +7426,11 @@ CodeGenerator::visitInstanceOfV(LInstanceOfV *ins)
    return emitInstanceOf(ins, ins->mir()->prototypeObject());
 }

-// Wrap IsDelegate, which takes a Value for the lhs of an instanceof.
+// Wrap IsDelegateOfObject, which takes a JSObject*, not a HandleObject
 static bool
 IsDelegateObject(JSContext *cx, HandleObject protoObj, HandleObject obj, bool *res)
 {
-    return IsDelegate(cx, protoObj, ObjectValue(*obj), res);
+    return IsDelegateOfObject(cx, protoObj, obj, res);
 }

 typedef bool (*IsDelegateObjectFn)(JSContext *, HandleObject, HandleObject, bool *);
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -5252,7 +5252,13 @@ js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result
        *result = false;
        return true;
    }
-    RootedObject obj2(cx, &v.toObject());
+    return IsDelegateOfObject(cx, obj, &v.toObject(), result);
+}
+
+bool
+js::IsDelegateOfObject(JSContext *cx, HandleObject protoObj, JSObject* obj, bool *result)
+{
+    RootedObject obj2(cx, obj);
    for (;;) {
        if (!JSObject::getProto(cx, obj2, &obj2))
            return false;
@ -5260,7 +5266,7 @@ js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result
            *result = false;
            return true;
        }
-        if (obj2 == obj) {
+        if (obj2 == protoObj) {
            *result = true;
            return true;
        }
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -1536,6 +1536,11 @@ CheckAccess(JSContext *cx, JSObject *obj, HandleId id, JSAccessMode mode,
 extern bool
 IsDelegate(JSContext *cx, HandleObject obj, const Value &v, bool *result);

+// obj is a JSObject*, but we root it immediately up front. We do it
+// that way because we need a Rooted temporary in this method anyway.
+extern bool
+IsDelegateOfObject(JSContext *cx, HandleObject protoObj, JSObject* obj, bool *result);
+
 bool
 GetObjectElementOperationPure(ThreadSafeContext *cx, JSObject *obj, const Value &prop, Value *vp);