Bug 862092 - "Assertion failure: target->isNative() == obj->isNative()" adopting a <select>. r=bz.

--HG-- extra : rebase_source : 1905aa3aa956a599e9ce1de8866f7dc58feb73be
2024-10-13 13:25:37 +00:00 · 2013-04-16 19:02:57 +02:00 · 2013-04-16 19:02:57 +02:00 · 0a02b10ae4
commit 0a02b10ae4
parent 63b663859d
5 changed files with 90 additions and 9 deletions
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@ -1492,24 +1492,37 @@ ReparentWrapper(JSContext* aCx, JS::HandleObject aObjArg)
  js::SetReservedSlot(newobj, DOM_OBJECT_SLOT,
                      js::GetReservedSlot(aObj, DOM_OBJECT_SLOT));

+  bool isProxy = js::IsProxy(aObj);
+
  // At this point, both |aObj| and |newobj| point to the same native
  // which is bad, because one of them will end up being finalized with a
  // native it does not own. |cloneGuard| ensures that if we exit before
  // clearing |aObj|'s reserved slot the reserved slot of |newobj| will be
  // set to null. |aObj| will go away soon, because we swap it with
  // another object during the transplant and let that object die.
-  JSObject *propertyHolder;
+  JSObject* propertyHolder;
  {
    AutoCloneDOMObjectSlotGuard cloneGuard(aObj, newobj);

-    propertyHolder = JS_NewObjectWithGivenProto(aCx, nullptr, nullptr,
-                                                newParent);
-    if (!propertyHolder) {
-      return NS_ERROR_OUT_OF_MEMORY;
+    JSObject* copyFrom;
+    if (isProxy) {
+      copyFrom = DOMProxyHandler::GetExpandoObject(aObj);
+    } else {
+      copyFrom = aObj;
    }

-    if (!JS_CopyPropertiesFrom(aCx, propertyHolder, aObj)) {
-      return NS_ERROR_FAILURE;
+    if (copyFrom) {
+      propertyHolder = JS_NewObjectWithGivenProto(aCx, nullptr, nullptr,
+                                                  newParent);
+      if (!propertyHolder) {
+        return NS_ERROR_OUT_OF_MEMORY;
+      }
+
+      if (!JS_CopyPropertiesFrom(aCx, propertyHolder, copyFrom)) {
+        return NS_ERROR_FAILURE;
+      }
+    } else {
+      propertyHolder = nullptr;
    }

    // Expandos from other compartments are attached to the target JS object.
@ -1558,8 +1571,18 @@ ReparentWrapper(JSContext* aCx, JS::HandleObject aObjArg)
  cache->SetPreservingWrapper(false);
  cache->SetWrapper(aObj);
  cache->SetPreservingWrapper(preserving);
-  if (!JS_CopyPropertiesFrom(aCx, aObj, propertyHolder)) {
-    MOZ_CRASH();
+
+  if (propertyHolder) {
+    JSObject* copyTo;
+    if (isProxy) {
+      copyTo = DOMProxyHandler::EnsureExpandoObject(aCx, aObj);
+    } else {
+      copyTo = aObj;
+    }
+
+    if (!copyTo || !JS_CopyPropertiesFrom(aCx, copyTo, propertyHolder)) {
+      MOZ_CRASH();
+    }
  }

  nsObjectLoadingContent* htmlobject;
--- a/dom/bindings/crashtests/862092.html
+++ b/dom/bindings/crashtests/862092.html
@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+
+function boom()
+{
+  var frameDoc = document.getElementById("f").contentDocument;
+  frameDoc.adoptNode(document.createElement("select"));
+}
+
+</script>
+</head>
+
+<body onload="boom();">
+<iframe id="f"></iframe>
+</body>
+</html>
--- a/dom/bindings/crashtests/crashtests.list
+++ b/dom/bindings/crashtests/crashtests.list
@ -4,3 +4,4 @@ load 822340-2.html
 load 832899.html
 load 860591.html
 load 860551.html
+load 862092.html
--- a/dom/bindings/test/Makefile.in
+++ b/dom/bindings/test/Makefile.in
@ -72,6 +72,7 @@ MOCHITEST_FILES := \
  test_queryInterface.html \
  test_exceptionThrowing.html \
  test_bug852846.html \
+  test_bug862092.html \
  $(NULL)

 MOCHITEST_CHROME_FILES = \
--- a/dom/bindings/test/test_bug862092.html
+++ b/dom/bindings/test/test_bug862092.html
@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=862092
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 862092</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 862092 **/
+
+  SimpleTest.waitForExplicitFinish();
+  function runTest()
+  {
+    var frameDoc = document.getElementById("f").contentDocument;
+    var a = document.createElement("select");
+    a.expando = "test";
+    a = frameDoc.adoptNode(a)
+    is(a.expando, "test", "adoptNode needs to preserve expandos");
+    SimpleTest.finish();
+  }
+
+  </script>
+</head>
+<body onload="runTest();">
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=862092">Mozilla Bug 862092</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe id="f"></iframe>
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>