Bug 866450 Part 3: Fix rooting hazards under content/ and dom/ r=bz

2024-09-13 09:24:08 -07:00 · 2013-05-02 05:12:46 -04:00 · 2013-05-02 05:12:46 -04:00 · b410d41cc0
commit b410d41cc0
parent bc9b1bccdc
2 changed files with 29 additions and 28 deletions
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@ -952,8 +952,8 @@ static JSObject*
 NewOuterWindowProxy(JSContext *cx, JSObject *parent, bool isChrome)
 {
  JSAutoCompartment ac(cx, parent);
-  JSObject *proto;
-  if (!js::GetObjectProto(cx, parent, &proto))
+  JS::Rooted<JSObject*> proto(cx);
+  if (!js::GetObjectProto(cx, parent, proto.address()))
    return nullptr;

  JSObject *obj = js::Wrapper::New(cx, parent, proto, parent,
@ -2036,8 +2036,8 @@ nsGlobalWindow::SetOuterObject(JSContext* aCx, JSObject* aOuterObject)

  // Set up the prototype for the outer object.
  JSObject* inner = JS_GetParent(aOuterObject);
-  JSObject* proto;
-  if (!JS_GetPrototype(aCx, inner, &proto)) {
+  JS::Rooted<JSObject*> proto(aCx);
+  if (!JS_GetPrototype(aCx, inner, proto.address())) {
    return NS_ERROR_FAILURE;
  }
  JS_SetPrototype(aCx, aOuterObject, proto);
@ -6462,8 +6462,8 @@ JSObject* nsGlobalWindow::CallerGlobal()
  // retrieve the global corresponding to the innermost scripted frame. Then,
  // we verify that its principal is subsumed by the subject principal. If it
  // isn't, something is screwy, and we want to clamp to the cx global.
-  JSObject *scriptedGlobal = JS_GetScriptedGlobal(cx);
-  JSObject *cxGlobal = JS_GetGlobalForScopeChain(cx);
+  JS::Rooted<JSObject*> scriptedGlobal(cx, JS_GetScriptedGlobal(cx));
+  JS::Rooted<JSObject*> cxGlobal(cx, JS_GetGlobalForScopeChain(cx));
  if (!xpc::AccessCheck::subsumes(cxGlobal, scriptedGlobal)) {
    NS_WARNING("Something nasty is happening! Applying countermeasures...");
    return cxGlobal;
@ -6477,7 +6477,7 @@ nsGlobalWindow::CallerInnerWindow()
 {
  JSContext *cx = nsContentUtils::GetCurrentJSContext();
  NS_ENSURE_TRUE(cx, nullptr);
-  JSObject *scope = CallerGlobal();
+  JS::Rooted<JSObject*> scope(cx, CallerGlobal());

  // When Jetpack runs content scripts inside a sandbox, it uses
  // sandboxPrototype to make them appear as though they're running in the
@ -6487,8 +6487,8 @@ nsGlobalWindow::CallerInnerWindow()
  // now we need to do some special handling to support it.
  {
    JSAutoCompartment ac(cx, scope);
-    JSObject *scopeProto;
-    bool ok = JS_GetPrototype(cx, scope, &scopeProto);
+    JS::Rooted<JSObject*> scopeProto(cx);
+    bool ok = JS_GetPrototype(cx, scope, scopeProto.address());
    NS_ENSURE_TRUE(ok, nullptr);
    if (scopeProto && xpc::IsSandboxPrototypeProxy(scopeProto) &&
        (scopeProto = js::CheckedUnwrap(scopeProto, /* stopAtOuter = */ false)))
@ -6590,10 +6590,10 @@ PostMessageReadStructuredClone(JSContext* cx,
    if (JS_ReadBytes(reader, &supports, sizeof(supports))) {
      JS::Rooted<JSObject*> global(cx, JS_GetGlobalForScopeChain(cx));
      if (global) {
-        JS::Value val;
+        JS::Rooted<JS::Value> val(cx);
        nsCOMPtr<nsIXPConnectJSObjectHolder> wrapper;
        if (NS_SUCCEEDED(nsContentUtils::WrapNative(cx, global, supports,
-                                                    &val,
+                                                    val.address(),
                                                    getter_AddRefs(wrapper)))) {
          return JSVAL_TO_OBJECT(val);
        }
@ -6728,13 +6728,13 @@ PostMessageEvent::Run()
  }

  // Deserialize the structured clone data
-  JS::Value messageData;
+  JS::Rooted<JS::Value> messageData(cx);
  {
    JSAutoRequest ar(cx);
    StructuredCloneInfo scInfo;
    scInfo.event = this;

-    if (!buffer.read(cx, &messageData, &kPostMessageCallbacks, &scInfo))
+    if (!buffer.read(cx, messageData.address(), &kPostMessageCallbacks, &scInfo))
      return NS_ERROR_DOM_DATA_CLONE_ERR;
  }

@ -7366,7 +7366,7 @@ public:
        JSContext* cx = nsContentUtils::GetSafeJSContext();

        JSAutoRequest ar(cx);
-        js::NukeCrossCompartmentWrappers(cx, 
+        js::NukeCrossCompartmentWrappers(cx,
                                         js::ChromeCompartmentsOnly(),
                                         js::SingleCompartment(js::GetObjectCompartment(obj)),
                                         window->IsInnerWindow() ? js::DontNukeWindowReferences :
--- a/dom/base/nsJSEnvironment.cpp
+++ b/dom/base/nsJSEnvironment.cpp
@ -756,9 +756,9 @@ nsJSContext::DOMOperationCallback(JSContext *cx)
  NS_ENSURE_TRUE(prompt, JS_FALSE);

  // Check if we should offer the option to debug
-  JSScript *script;
+  JS::RootedScript script(cx);
  unsigned lineno;
-  JSBool hasFrame = ::JS_DescribeScriptedCaller(cx, &script, &lineno);
+  JSBool hasFrame = ::JS_DescribeScriptedCaller(cx, script.address(), &lineno);

  bool debugPossible = hasFrame && js::CanCallContextDebugHandler(cx);
 #ifdef MOZ_JSDEBUGGER
@ -1354,7 +1354,7 @@ nsJSContext::CompileScript(const PRUnichar* aText,

  NS_ENSURE_ARG_POINTER(aPrincipal);

-  JSObject* scopeObject = ::JS_GetGlobalObject(mContext);
+  JS::Rooted<JSObject*> scopeObject(mContext, ::JS_GetGlobalObject(mContext));
  xpc_UnmarkGrayObject(scopeObject);

  bool ok = false;
@ -1482,8 +1482,8 @@ nsJSContext::JSObjectFromInterface(nsISupports* aTarget, JS::HandleObject aScope
  // Get the jsobject associated with this target
  // We don't wrap here because we trust the JS engine to wrap the target
  // later.
-  JS::Value v;
-  nsresult rv = nsContentUtils::WrapNative(mContext, aScope, aTarget, &v);
+  JS::Rooted<JS::Value> v(mContext);
+  nsresult rv = nsContentUtils::WrapNative(mContext, aScope, aTarget, v.address());
  NS_ENSURE_SUCCESS(rv, rv);

 #ifdef DEBUG
@ -1562,8 +1562,9 @@ nsresult
 nsJSContext::Deserialize(nsIObjectInputStream* aStream,
                         JS::MutableHandle<JSScript*> aResult)
 {
-  JSScript *script;
-  nsresult rv = nsContentUtils::XPConnect()->ReadScript(aStream, mContext, &script);
+  JS::RootedScript script(mContext);
+  nsresult rv =
+    nsContentUtils::XPConnect()->ReadScript(aStream, mContext, script.address());
  if (NS_FAILED(rv)) return rv;

  aResult.set(script);
@ -1573,7 +1574,7 @@ nsJSContext::Deserialize(nsIObjectInputStream* aStream,
 nsIScriptGlobalObject *
 nsJSContext::GetGlobalObject()
 {
-  JSObject *global = ::JS_GetGlobalObject(mContext);
+  JS::Rooted<JSObject*> global(mContext, ::JS_GetGlobalObject(mContext));

  if (!global) {
    return nullptr;
@ -1778,8 +1779,8 @@ nsJSContext::ConvertSupportsTojsvals(nsISupports *aArgs,
                       "Don't pass nsISupportsPrimitives - use nsIVariant!");
 #endif
          nsCOMPtr<nsIXPConnectJSObjectHolder> wrapper;
-          JS::Value v;
-          rv = nsContentUtils::WrapNative(mContext, aScope, arg, &v,
+          JS::Rooted<JS::Value> v(mContext);
+          rv = nsContentUtils::WrapNative(mContext, aScope, arg, v.address(),
                                          getter_AddRefs(wrapper));
          if (NS_SUCCEEDED(rv)) {
            *thisval = v;
@ -1979,9 +1980,9 @@ nsJSContext::AddSupportsPrimitiveTojsvals(nsISupports *aArg, JS::Value *aArgv)

      nsCOMPtr<nsIXPConnectJSObjectHolder> wrapper;
      JS::Rooted<JSObject*> global(cx, xpc_UnmarkGrayObject(::JS_GetGlobalObject(cx)));
-      JS::Value v;
+      JS::Rooted<JS::Value> v(cx);
      nsresult rv = nsContentUtils::WrapNative(cx, global,
-                                               data, iid, &v,
+                                               data, iid, v.address(),
                                               getter_AddRefs(wrapper));
      NS_ENSURE_SUCCESS(rv, rv);

@ -3393,9 +3394,9 @@ NS_DOMReadStructuredClone(JSContext* cx,
  if (tag == SCTAG_DOM_IMAGEDATA) {
    // Read the information out of the stream.
    uint32_t width, height;
-    JS::Value dataArray;
+    JS::Rooted<JS::Value> dataArray(cx);
    if (!JS_ReadUint32Pair(reader, &width, &height) ||
-        !JS_ReadTypedArray(reader, &dataArray)) {
+        !JS_ReadTypedArray(reader, dataArray.address())) {
      return nullptr;
    }
    MOZ_ASSERT(dataArray.isObject());