Fix for bug 504146 (Crash [@ nsGenericElement::cycleCollection::Traverse] with focus() method, popup, menulist, treecols). r=jst, sr=mrbkap.

--HG-- extra : rebase_source : ccd7a76cceab3f1ab593e2918d3847e14e8c5c22
2024-09-13 09:24:08 -07:00 · 2009-07-17 12:17:46 +02:00 · 2009-07-17 12:17:46 +02:00 · 9eeb6bea74
commit 9eeb6bea74
parent 9547e457d1
2 changed files with 20 additions and 3 deletions
--- a/js/src/xpconnect/src/xpcconvert.cpp
+++ b/js/src/xpconnect/src/xpcconvert.cpp
@ -1129,6 +1129,13 @@ XPCConvert::NativeInterface2JSObject(XPCCallContext& ccx,
                        *d = slim;
                        return JS_TRUE;
                    }
+
+                    // Even if ConstructSlimWrapper returns JS_FALSE it might
+                    // have created a wrapper (while calling the PreCreate
+                    // hook). In that case we need to fall through because we
+                    // either have a slim wrapper that needs to be morphed or
+                    // we have an XPCWrappedNative.
+                    flat = cache->GetWrapper();
                }
                else if(!IS_WRAPPER_CLASS(STOBJ_GET_CLASS(flat)))
                {
--- a/js/src/xpconnect/src/xpcwrappednative.cpp
+++ b/js/src/xpconnect/src/xpcwrappednative.cpp
@ -3787,6 +3787,16 @@ ConstructSlimWrapper(XPCCallContext &ccx, nsISupports *p, nsWrapperCache *cache,
        }
    }

+    // The PreCreate hook could have forced the creation of a wrapper, need
+    // to check for that here and return early.
+    JSObject* wrapper = cache->GetWrapper();
+    if(wrapper)
+    {
+        *rval = OBJECT_TO_JSVAL(wrapper);
+
+        return JS_TRUE;
+    }
+
    AutoMarkingWrappedNativeProtoPtr xpcproto(ccx);
    JSBool isGlobal = JS_FALSE;
    xpcproto = XPCWrappedNativeProto::GetNewOrUsed(ccx, xpcScope, classInfo,
@ -3802,9 +3812,9 @@ ConstructSlimWrapper(XPCCallContext &ccx, nsISupports *p, nsWrapperCache *cache,
    if(!jsclazz->addProperty)
        return JS_FALSE;

-    JSObject* wrapper =
-        xpc_NewSystemInheritingJSObject(ccx, jsclazz,
-                                        xpcproto->GetJSProtoObject(), parent);
+    wrapper = xpc_NewSystemInheritingJSObject(ccx, jsclazz,
+                                              xpcproto->GetJSProtoObject(),
+                                              parent);
    if(!JS_SetPrivate(ccx, wrapper, identityObj) ||
       !JS_SetReservedSlot(ccx, wrapper, 0, PRIVATE_TO_JSVAL(xpcproto.get())))
        return JS_FALSE;