From 878193f1fb8ea476c52f066795c01339bb32e99c Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Fri, 20 Dec 2013 14:28:18 -0500
Subject: [PATCH] Bug 949890.  Fix rooting hazard in
 workers::XMLHttpRequest::Send.  r=khuey

---
 dom/workers/XMLHttpRequest.cpp | 25 +++++++++++++++++++------
 dom/workers/XMLHttpRequest.h   | 16 +++-------------
 2 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
index 70197494503..442aab7c562 100644
--- a/dom/workers/XMLHttpRequest.cpp
+++ b/dom/workers/XMLHttpRequest.cpp
@@ -2045,12 +2045,11 @@ XMLHttpRequest::Send(const nsAString& aBody, ErrorResult& aRv)
 }
 
 void
-XMLHttpRequest::Send(JSObject* aBody, ErrorResult& aRv)
+XMLHttpRequest::Send(JS::Handle<JSObject*> aBody, ErrorResult& aRv)
 {
   JSContext* cx = mWorkerPrivate->GetJSContext();
 
   MOZ_ASSERT(aBody);
-  JS::Rooted<JSObject*> body(cx, aBody);
 
   mWorkerPrivate->AssertIsOnWorkerThread();
 
@@ -2065,12 +2064,12 @@ XMLHttpRequest::Send(JSObject* aBody, ErrorResult& aRv)
   }
 
   JS::Rooted<JS::Value> valToClone(cx);
-  if (JS_IsArrayBufferObject(body) || JS_IsArrayBufferViewObject(body) ||
-      file::GetDOMBlobFromJSObject(body)) {
-    valToClone.setObject(*body);
+  if (JS_IsArrayBufferObject(aBody) || JS_IsArrayBufferViewObject(aBody) ||
+      file::GetDOMBlobFromJSObject(aBody)) {
+    valToClone.setObject(*aBody);
   }
   else {
-    JS::Rooted<JS::Value> obj(cx, JS::ObjectValue(*body));
+    JS::Rooted<JS::Value> obj(cx, JS::ObjectValue(*aBody));
     JSString* bodyStr = JS::ToString(cx, obj);
     if (!bodyStr) {
       aRv.Throw(NS_ERROR_OUT_OF_MEMORY);
@@ -2095,6 +2094,20 @@ XMLHttpRequest::Send(JSObject* aBody, ErrorResult& aRv)
   SendInternal(EmptyString(), buffer, clonedObjects, aRv);
 }
 
+void
+XMLHttpRequest::Send(const ArrayBuffer& aBody, ErrorResult& aRv)
+{
+  JS::Rooted<JSObject*> obj(mWorkerPrivate->GetJSContext(), aBody.Obj());
+  return Send(obj, aRv);
+}
+
+void
+XMLHttpRequest::Send(const ArrayBufferView& aBody, ErrorResult& aRv)
+{
+  JS::Rooted<JSObject*> obj(mWorkerPrivate->GetJSContext(), aBody.Obj());
+  return Send(obj, aRv);
+}
+
 void
 XMLHttpRequest::SendAsBinary(const nsAString& aBody, ErrorResult& aRv)
 {
diff --git a/dom/workers/XMLHttpRequest.h b/dom/workers/XMLHttpRequest.h
index 8206c337178..12c57842f4b 100644
--- a/dom/workers/XMLHttpRequest.h
+++ b/dom/workers/XMLHttpRequest.h
@@ -160,23 +160,13 @@ public:
   Send(const nsAString& aBody, ErrorResult& aRv);
 
   void
-  Send(JSObject* aBody, ErrorResult& aRv);
+  Send(JS::Handle<JSObject*> aBody, ErrorResult& aRv);
 
   void
-  Send(JSObject& aBody, ErrorResult& aRv)
-  {
-    Send(&aBody, aRv);
-  }
+  Send(const ArrayBuffer& aBody, ErrorResult& aRv);
 
   void
-  Send(const ArrayBuffer& aBody, ErrorResult& aRv) {
-    return Send(aBody.Obj(), aRv);
-  }
-
-  void
-  Send(const ArrayBufferView& aBody, ErrorResult& aRv) {
-    return Send(aBody.Obj(), aRv);
-  }
+  Send(const ArrayBufferView& aBody, ErrorResult& aRv);
 
   void
   SendAsBinary(const nsAString& aBody, ErrorResult& aRv);