From 71b63fdffae4e53a40f60bd9bedd7b929d1152d1 Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Thu, 14 Mar 2013 22:38:26 -0700
Subject: [PATCH] Bug 850517 - Support named window access via Xray. r=mrbkap

---
 js/xpconnect/wrappers/XrayWrapper.cpp | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/js/xpconnect/wrappers/XrayWrapper.cpp b/js/xpconnect/wrappers/XrayWrapper.cpp
index d2f9c99cf37..8b9a8c05cfb 100644
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@@ -175,6 +175,8 @@ private:
 class XPCWrappedNativeXrayTraits : public XrayTraits
 {
 public:
+    static const XrayType Type = XrayForWrappedNative;
+
     static bool resolveNativeProperty(JSContext *cx, JSObject *wrapper, JSObject *holder, jsid id,
                                       JSPropertyDescriptor *desc, unsigned flags);
     virtual bool resolveOwnProperty(JSContext *cx, js::Wrapper &jsWrapper, JSObject *wrapper,
@@ -217,6 +219,8 @@ public:
 class DOMXrayTraits : public XrayTraits
 {
 public:
+    static const XrayType Type = XrayForDOMObject;
+
     static bool resolveNativeProperty(JSContext *cx, JSObject *wrapper, JSObject *holder, jsid id,
                                       JSPropertyDescriptor *desc, unsigned flags);
     virtual bool resolveOwnProperty(JSContext *cx, js::Wrapper &jsWrapper, JSObject *wrapper,
@@ -1459,6 +1463,29 @@ XrayWrapper<Base, Traits>::getPropertyDescriptor(JSContext *cx, JSObject *wrappe
         return true;
     }
 
+    // We need to handle named access on the Window somewhere other than
+    // Traits::resolveOwnProperty, because per spec it happens on the Global
+    // Scope Polluter and thus the resulting properties are non-|own|. However,
+    // we're set up (below) to cache (on the holder) anything that comes out of
+    // resolveNativeProperty, which we don't want for something dynamic like
+    // named access. So we just handle it here.
+    nsGlobalWindow *win;
+    if (Traits::Type == XrayForWrappedNative && JSID_IS_STRING(id) &&
+        (win = static_cast<nsGlobalWindow*>(As<nsIDOMWindow>(wrapper))))
+    {
+        nsCOMPtr<nsIDOMWindow> childDOMWin = win->GetChildWindow(id);
+        if (childDOMWin) {
+            nsGlobalWindow *cwin = static_cast<nsGlobalWindow*>(childDOMWin.get());
+            JSObject *childObj = cwin->FastGetGlobalJSObject();
+            if (MOZ_UNLIKELY(!childObj))
+                return xpc::Throw(cx, NS_ERROR_FAILURE);
+            mozilla::dom::FillPropertyDescriptor(desc, wrapper,
+                                                 ObjectValue(*childObj),
+                                                 /* readOnly = */ true);
+            return JS_WrapPropertyDescriptor(cx, desc);
+        }
+    }
+
     if (!JS_GetPropertyDescriptorById(cx, holder, id, 0, desc))
         return false;
     if (desc->obj) {