Bug 778409 - Enter the compartment of unwrappedProto rather than obj in Rewrap. r=gabor

This can happen if chrome sets its proto to a content object from a different scope than the one doing the wrapping. In this case, the prototype chain looks like this: chromeobj => CCW(examplecom_obj) => CCW(examplecom_scope.Object.prototype) When wrapping chromeobj for exampleorg_scope, things will look like this: COW(chromeobj) => CCW(examplecom_obj) => CCW(examplecom_scope.Object.prototype) Note that we don't remap the proto of CCW(examplecom_scope) to exampleorg_scope.Object.prototype, because the proto remapping only happens when the object we're wrapping is chrome. There's no reason it has to be this way, but even if we changed it we still wouldn't get the nice remapped lookup behavior to exampleorg_scope.Object.prototype, because the proxy handler for CCW(examplecom_obj) isn't a ChromeObjectWrapper, and thus doesn't know how to to the prototype bouncing correctly. Anyway, I suspect this case isn't worth worrying about as long as we don't crash.
2024-09-13 09:24:08 -07:00 · 2012-07-30 22:18:55 +02:00 · 2012-07-30 22:18:55 +02:00 · 8a52cd6c9b
commit 8a52cd6c9b
parent a426db70af
3 changed files with 13 additions and 1 deletions
--- a/js/xpconnect/tests/unit/test_bug778409.js
+++ b/js/xpconnect/tests/unit/test_bug778409.js
@ -0,0 +1,11 @@
+function run_test() {
+  var Cu = Components.utils;
+  var sb1 = Cu.Sandbox('http://example.com');
+  var sb2 = Cu.Sandbox('http://example.org');
+  var chromeObj = {foo: 2};
+  var sb1obj = Cu.evalInSandbox('new Object()', sb1);
+  chromeObj.__proto__ = sb1obj;
+  sb2.wrapMe = chromeObj;
+  do_check_true(true, "Didn't crash");
+  do_check_eq(sb2.wrapMe.__proto__, sb1obj, 'proto set correctly');
+}
--- a/js/xpconnect/tests/unit/xpcshell.ini
+++ b/js/xpconnect/tests/unit/xpcshell.ini
@ -11,6 +11,7 @@ tail =
 [test_bug641378.js]
 [test_bug677864.js]
 [test_bug711404.js]
+[test_bug778409.js]
 [test_bug_442086.js]
 [test_file.js]
 [test_import.js]
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@ -402,7 +402,7 @@ WrapperFactory::Rewrap(JSContext *cx, JSObject *obj, JSObject *wrappedProto, JSO
            if (wrappedProto && IsCrossCompartmentWrapper(wrappedProto) &&
                (unwrappedProto = Wrapper::wrappedObject(wrappedProto))) {
                JSAutoEnterCompartment ac;
-                if (!ac.enter(cx, obj))
+                if (!ac.enter(cx, unwrappedProto))
                    return NULL;
                key = JS_IdentifyClassPrototype(cx, unwrappedProto);
            }