Bug 818861 Shouldn't allow promising a flat string from a flat string r=dbaron

content/base/src/nsFrameMessageManager.cpp

@@ -231,7 +231,7 @@ GetParamsForMessage(JSContext* aCx,
   NS_ENSURE_TRUE(!json.IsEmpty(), false);
 
   jsval val = JSVAL_NULL;
-  NS_ENSURE_TRUE(JS_ParseJSON(aCx, static_cast<const jschar*>(PromiseFlatString(json).get()),
+  NS_ENSURE_TRUE(JS_ParseJSON(aCx, static_cast<const jschar*>(json.get()),
                               json.Length(), &val), false);
 
   return WriteStructuredClone(aCx, val, aBuffer, aClosure);
@@ -535,7 +535,7 @@ nsFrameMessageManager::ReceiveMessage(nsISupports* aTarget,
         }
         JSString* jsMessage =
           JS_NewUCStringCopyN(ctx,
-                              static_cast<const jschar*>(PromiseFlatString(aMessage).get()),
+                              static_cast<const jschar*>(aMessage.BeginReading()),
                               aMessage.Length());
         NS_ENSURE_TRUE(jsMessage, NS_ERROR_OUT_OF_MEMORY);
         JS_DefineProperty(ctx, param, "target", targetv, NULL, NULL, JSPROP_ENUMERATE);

content/canvas/src/WebGLContextGL.cpp

@@ -4169,15 +4169,13 @@ WebGLContext::CompileShader(WebGLShader *shader)
         // cleanSource nsAString instance will be destroyed before the reference is
         // actually used.
         StripComments stripComments(shader->Source());
-        const nsAString& cleanSource = nsString(stripComments.result().Elements(), stripComments.length());
+        const nsAString& cleanSource = Substring(stripComments.result().Elements(), stripComments.length());
         if (!ValidateGLSLString(cleanSource, "compileShader"))
             return;
 
-        const nsPromiseFlatString& flatSource = PromiseFlatString(cleanSource);
-
         // shaderSource() already checks that the source stripped of comments is in the
         // 7-bit ASCII range, so we can skip the NS_IsAscii() check.
-        const nsCString& sourceCString = NS_LossyConvertUTF16toASCII(flatSource);
+        NS_LossyConvertUTF16toASCII sourceCString(cleanSource);
 
         if (gl->WorkAroundDriverBugs()) {
             const uint32_t maxSourceLength = 0x3ffff;
@@ -4298,8 +4296,7 @@ WebGLContext::CompileShader(WebGLShader *shader)
             translatedSrc.SetLength(len);
             ShGetObjectCode(compiler, translatedSrc.BeginWriting());
 
-            nsPromiseFlatCString translatedSrc2(translatedSrc);
-            const char *ts = translatedSrc2.get();
+            const char *ts = translatedSrc.get();
 
             gl->fShaderSource(shadername, 1, &ts, NULL);
         } else { // not useShaderSourceTranslation
@@ -4613,7 +4610,7 @@ WebGLContext::ShaderSource(WebGLShader *shader, const nsAString& source)
     // cleanSource nsAString instance will be destroyed before the reference is
     // actually used.
     StripComments stripComments(source);
-    const nsAString& cleanSource = nsString(stripComments.result().Elements(), stripComments.length());
+    const nsAString& cleanSource = Substring(stripComments.result().Elements(), stripComments.length());
     if (!ValidateGLSLString(cleanSource, "compileShader"))
         return;
 

dom/plugins/base/nsPluginInstanceOwner.cpp

@@ -1018,7 +1018,7 @@ NS_IMETHODIMP nsPluginInstanceOwner::GetDocumentEncoding(const char* *result)
   if (charset.EqualsLiteral("us-ascii")) {
     *result = PL_strdup("US_ASCII");
   } else if (charset.EqualsLiteral("ISO-8859-1") ||
-      !nsCRT::strncmp(PromiseFlatCString(charset).get(), "UTF", 3)) {
+      !nsCRT::strncmp(charset.get(), "UTF", 3)) {
     *result = ToNewCString(charset);
   } else {
     if (!gCharsetMap) {

dom/plugins/ipc/PluginProcessChild.cpp

@@ -70,7 +70,7 @@ PluginProcessChild::Init()
                 setInterpose.Append(interpose);
             }
             // Values passed to PR_SetEnv() must be seperately allocated.
-            char* setInterposePtr = strdup(PromiseFlatCString(setInterpose).get());
+            char* setInterposePtr = strdup(setInterpose.get());
             PR_SetEnv(setInterposePtr);
         }
     }

gfx/thebes/gfxGDIFontList.cpp

@@ -427,7 +427,7 @@ GDIFontEntry::InitLogFont(const nsAString& aName,
     mLogFont.lfWeight         = mWeight;
 
     int len = NS_MIN<int>(aName.Length(), LF_FACESIZE - 1);
-    memcpy(&mLogFont.lfFaceName, nsPromiseFlatString(aName).get(), len * 2);
+    memcpy(&mLogFont.lfFaceName, aName.BeginReading(), len * sizeof(PRUnichar));
     mLogFont.lfFaceName[len] = '\0';
 }
 
@@ -560,10 +560,7 @@ GDIFontFamily::FindStyleVariations()
     logFont.lfCharSet = DEFAULT_CHARSET;
     logFont.lfPitchAndFamily = 0;
     uint32_t l = NS_MIN<uint32_t>(mName.Length(), LF_FACESIZE - 1);
-    memcpy(logFont.lfFaceName,
-           nsPromiseFlatString(mName).get(),
-           l * sizeof(PRUnichar));
-    logFont.lfFaceName[l] = 0;
+    memcpy(logFont.lfFaceName, mName.get(), l * sizeof(PRUnichar));
 
     EnumFontFamiliesExW(hdc, &logFont,
                         (FONTENUMPROCW)GDIFontFamily::FamilyAddStylesProc,

image/decoders/icon/mac/nsIconChannelCocoa.mm

@@ -233,7 +233,7 @@ nsresult nsIconChannel::MakeInputStream(nsIInputStream** _retval, bool nonBlocki
 
   // if we don't have an icon yet try to get one by extension
   if (!iconImage && !fileExt.IsEmpty()) {
-    NSString* fileExtension = [NSString stringWithUTF8String:PromiseFlatCString(fileExt).get()];
+    NSString* fileExtension = [NSString stringWithUTF8String:fileExt.get()];
     iconImage = [[NSWorkspace sharedWorkspace] iconForFileType:fileExtension];
   }
 

profile/dirserviceprovider/src/nsProfileLock.cpp

@@ -208,8 +208,7 @@ nsresult nsProfileLock::LockWithFcntl(nsIFile *aLockFile)
 
     aLockFile->GetLastModifiedTime(&mReplacedLockTime);
 
-    mLockFileDesc = open(PromiseFlatCString(lockFilePath).get(),
-                          O_WRONLY | O_CREAT | O_TRUNC, 0666);
+    mLockFileDesc = open(lockFilePath.get(), O_WRONLY | O_CREAT | O_TRUNC, 0666);
     if (mLockFileDesc != -1)
     {
         struct flock lock;
@@ -336,8 +335,7 @@ nsresult nsProfileLock::LockWithSymlink(nsIFile *aLockFile, bool aHaveFcntlLock)
     char *signature =
         PR_smprintf("%s:%s%lu", inet_ntoa(inaddr), aHaveFcntlLock ? "+" : "",
                     (unsigned long)getpid());
-    const nsPromiseFlatCString& flat = PromiseFlatCString(lockFilePath);
-    const char *fileName = flat.get();
+    const char *fileName = lockFilePath.get();
     int symlink_rv, symlink_errno = 0, tries = 0;
 
     // use ns4.x-compatible symlinks if the FS supports them

toolkit/components/alerts/nsAlertsService.cpp

@@ -78,12 +78,12 @@ NS_IMETHODIMP nsAlertsService::ShowAlertNotification(const nsAString & aImageUrl
     if (aAlertListener)
       cpc->AddRemoteAlertObserver(PromiseFlatString(aAlertCookie), aAlertListener);
 
-    cpc->SendShowAlertNotification(nsAutoString(aImageUrl),
-                                   nsAutoString(aAlertTitle),
-                                   nsAutoString(aAlertText),
+    cpc->SendShowAlertNotification(PromiseFlatString(aImageUrl),
+                                   PromiseFlatString(aAlertTitle),
+                                   PromiseFlatString(aAlertText),
                                    aAlertTextClickable,
-                                   nsAutoString(aAlertCookie),
-                                   nsAutoString(aAlertName));
+                                   PromiseFlatString(aAlertCookie),
+                                   PromiseFlatString(aAlertName));
     return NS_OK;
   }
 

toolkit/components/places/History.cpp

@@ -2020,7 +2020,7 @@ History::SetURITitle(nsIURI* aURI, const nsAString& aTitle)
     mozilla::dom::ContentChild * cpc = 
       mozilla::dom::ContentChild::GetSingleton();
     NS_ASSERTION(cpc, "Content Protocol is NULL!");
-    (void)cpc->SendSetURITitle(uri, nsString(aTitle));
+    (void)cpc->SendSetURITitle(uri, PromiseFlatString(aTitle));
     return NS_OK;
   } 
 

toolkit/xre/nsAppRunner.cpp

@@ -3807,8 +3807,7 @@ XREMain::XRE_mainRun()
     if (!mDisableRemote)
       mRemoteService = do_GetService("@mozilla.org/toolkit/remote-service;1");
     if (mRemoteService)
-      mRemoteService->Startup(mAppData->name,
-                              PromiseFlatCString(mProfileName).get());
+      mRemoteService->Startup(mAppData->name, mProfileName.get());
 #endif /* MOZ_ENABLE_XREMOTE */
 
     mNativeApp->Enable();

xpcom/base/nsCycleCollector.cpp

@@ -1615,10 +1615,11 @@ private:
             // On android the default system umask is 0077 which makes these files
             // unreadable to the shell user. In order to pull the dumps off a non-rooted
             // device we need to chmod them to something world-readable.
+            // XXX why not logFile->SetPermissions(0644);
             nsAutoCString path;
             rv = logFile->GetNativePath(path);
             if (NS_SUCCEEDED(rv)) {
-                chmod(PromiseFlatCString(path).get(), 0644);
+                chmod(path.get(), 0644);
             }
         }
 #endif

xpcom/base/nsMemoryInfoDumper.cpp

@@ -498,10 +498,11 @@ OpenTempFile(const nsACString &aFilename, nsIFile* *aFile)
     // On android the default system umask is 0077 which makes these files
     // unreadable to the shell user. In order to pull the dumps off a non-rooted
     // device we need to chmod them to something world-readable.
+    // XXX why not logFile->SetPermissions(0644);
     nsAutoCString path;
     rv = file->GetNativePath(path);
     if (NS_SUCCEEDED(rv)) {
-      chmod(PromiseFlatCString(path).get(), 0644);
+      chmod(path.get(), 0644);
     }
   }
 #endif

xpcom/string/public/nsTPromiseFlatString.h

@@ -28,11 +28,11 @@
    * promises.  You must never use it to promise characters out of a string
    * with a shorter lifespan.  The typical use will be something like this:
    *
-   *   SomeOSFunction( PromiseFlatCString(aCString).get() ); // GOOD
+   *   SomeOSFunction( PromiseFlatCString(aCSubstring).get() ); // GOOD
    *
    * Here's a BAD use:
    *
-   *  const char* buffer = PromiseFlatCString(aCString).get();
+   *  const char* buffer = PromiseFlatCString(aCSubstring).get();
    *  SomeOSFunction(buffer); // BAD!! |buffer| is a dangling pointer
    *
    * The only way to make one is with the function |PromiseFlat[C]String|,
@@ -40,9 +40,9 @@
    * around for a little while?'' you might ask.  In that case, you can keep a
    * reference, like so
    *
-   *   const nsPromiseFlatString& flat = PromiseFlatString(aString);
+   *   const nsCString& flat = PromiseFlatString(aCSubstring);
    *     // this reference holds the anonymous temporary alive, but remember,
-   *     // it must _still_ have a lifetime shorter than that of |aString|
+   *     // it must _still_ have a lifetime shorter than that of |aCSubstring|
    *
    *  SomeOSFunction(flat.get());
    *  SomeOtherOSFunction(flat.get());
@@ -69,10 +69,13 @@ class nsTPromiseFlatString_CharT : public nsTString_CharT
       void Init( const substring_type& );
 
         // NOT TO BE IMPLEMENTED
-      void operator=( const self_type& );
+      void operator=( const self_type& ) MOZ_DELETE;
 
         // NOT TO BE IMPLEMENTED
-      nsTPromiseFlatString_CharT();
+      nsTPromiseFlatString_CharT() MOZ_DELETE;
+
+        // NOT TO BE IMPLEMENTED
+      nsTPromiseFlatString_CharT( const string_type& str ) MOZ_DELETE;
 
     public:
 
@@ -93,18 +96,11 @@ class nsTPromiseFlatString_CharT : public nsTString_CharT
         }
   };
 
-  // e.g., PromiseFlatCString(Substring(s))
-inline
+// We template this so that the constructor is chosen based on the type of the
+// parameter. This allows us to reject attempts to promise a flat flat string.
+template<class T>
 const nsTPromiseFlatString_CharT
-TPromiseFlatString_CharT( const nsTSubstring_CharT& frag )
+TPromiseFlatString_CharT( const T& string )
   {
-    return nsTPromiseFlatString_CharT(frag);
-  }
-
-  // e.g., PromiseFlatCString(a + b)
-inline
-const nsTPromiseFlatString_CharT
-TPromiseFlatString_CharT( const nsTSubstringTuple_CharT& tuple )
-  {
-    return nsTPromiseFlatString_CharT(tuple);
+    return nsTPromiseFlatString_CharT(string);
   }