Fix for bug 731227 (Fix script object ownership in IDBWrapperCache/IDBCursor). r=bent.

--HG--
extra : rebase_source : 86074980306682ebe1c4df8e09c4c2f3c51c4bf2

dom/base/nsDOMClassInfo.cpp

@@ -684,11 +684,6 @@ public:
   NS_IMETHOD PreCreate(nsISupports *aNativeObj, JSContext *aCx,
                        JSObject *aGlobalObj, JSObject **aParentObj);
 
-  NS_IMETHOD AddProperty(nsIXPConnectWrappedNative *aWrapper, JSContext *aCx,
-                         JSObject *aObj, jsid aId, jsval *aVp, bool *aRetval);
-
-  virtual void PreserveWrapper(nsISupports *aNative);
-
   static nsIClassInfo *doCreate(nsDOMClassInfoData *aData)
   {
     return new IDBEventTargetSH(aData);
@@ -7700,25 +7695,6 @@ IDBEventTargetSH::PreCreate(nsISupports *aNativeObj, JSContext *aCx,
   return NS_OK;
 }
 
-NS_IMETHODIMP
-IDBEventTargetSH::AddProperty(nsIXPConnectWrappedNative *aWrapper,
-                              JSContext *aCx, JSObject *aObj, jsid aId,
-                              jsval *aVp, bool *aRetval)
-{
-  if (aId != sAddEventListener_id) {
-    IDBEventTargetSH::PreserveWrapper(GetNative(aWrapper, aObj));
-  }
-
-  return NS_OK;
-}
-
-void
-IDBEventTargetSH::PreserveWrapper(nsISupports *aNative)
-{
-  IDBWrapperCache *target = IDBWrapperCache::FromSupports(aNative);
-  nsContentUtils::PreserveWrapper(aNative, target);
-}
-
 // Element helper
 
 static bool

dom/indexedDB/IDBCursor.cpp

@@ -266,6 +266,14 @@ IDBCursor::CreateCommon(IDBRequest* aRequest,
   cursor->mOwner = database->GetOwner();
   cursor->mScriptOwner = database->GetScriptOwner();
 
+  if (cursor->mScriptOwner) {
+    if (NS_FAILED(NS_HOLD_JS_OBJECTS(cursor, IDBCursor))) {
+      return nsnull;
+    }
+
+    cursor->mRooted = true;
+  }
+
   cursor->mRequest = aRequest;
   cursor->mTransaction = aTransaction;
   cursor->mObjectStore = aObjectStore;

dom/indexedDB/IDBDatabase.cpp

@@ -164,7 +164,9 @@ IDBDatabase::Create(IDBWrapperCache* aOwnerCache,
 
   db->mScriptContext = aOwnerCache->GetScriptContext();
   db->mOwner = aOwnerCache->GetOwner();
-  db->mScriptOwner = aOwnerCache->GetScriptOwner();
+  if (!db->SetScriptOwner(aOwnerCache->GetScriptOwner())) {
+    return nsnull;
+  }
 
   db->mDatabaseId = databaseInfo->id;
   db->mName = databaseInfo->name;

dom/indexedDB/IDBRequest.cpp

@@ -88,7 +88,9 @@ IDBRequest::Create(nsISupports* aSource,
   request->mTransaction = aTransaction;
   request->mScriptContext = aOwnerCache->GetScriptContext();
   request->mOwner = aOwnerCache->GetOwner();
-  request->mScriptOwner = aOwnerCache->GetScriptOwner();
+  if (!request->SetScriptOwner(aOwnerCache->GetScriptOwner())) {
+    return nsnull;
+  }
 
   return request.forget();
 }
@@ -129,7 +131,7 @@ IDBRequest::NotifyHelperCompleted(HelperBase* aHelper)
 
   // Otherwise we need to get the result from the helper.
   JSContext* cx;
-  if (mScriptOwner) {
+  if (GetScriptOwner()) {
     nsIThreadJSContextStack* cxStack = nsContentUtils::ThreadJSContextStack();
     NS_ASSERTION(cxStack, "Failed to get thread context stack!");
 
@@ -317,7 +319,9 @@ IDBOpenDBRequest::Create(nsIScriptContext* aScriptContext,
 
   request->mScriptContext = aScriptContext;
   request->mOwner = aOwner;
-  request->mScriptOwner = aScriptOwner;
+  if (!request->SetScriptOwner(aScriptOwner)) {
+    return nsnull;
+  }
 
   return request.forget();
 }

dom/indexedDB/IDBTransaction.cpp

@@ -119,7 +119,9 @@ IDBTransaction::Create(IDBDatabase* aDatabase,
 
   transaction->mScriptContext = aDatabase->GetScriptContext();
   transaction->mOwner = aDatabase->GetOwner();
-  transaction->mScriptOwner = aDatabase->GetScriptOwner();
+  if (!transaction->SetScriptOwner(aDatabase->GetScriptOwner())) {
+    return nsnull;
+  }
 
   transaction->mDatabase = aDatabase;
   transaction->mMode = aMode;

dom/indexedDB/IDBWrapperCache.cpp

@@ -5,6 +5,7 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "IDBWrapperCache.h"
+#include "nsContentUtils.h"
 
 USING_INDEXEDDB_NAMESPACE
 
@@ -18,7 +19,10 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
 
 NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(IDBWrapperCache,
                                                 nsDOMEventTargetHelper)
-  tmp->mScriptOwner = nsnull;
+  if (tmp->mScriptOwner) {
+    NS_DROP_JS_OBJECTS(tmp, IDBWrapperCache);
+    tmp->mScriptOwner = nsnull;
+  }
 NS_IMPL_CYCLE_COLLECTION_UNLINK_END
 
 NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(IDBWrapperCache,
@@ -36,3 +40,36 @@ NS_INTERFACE_MAP_END_INHERITING(nsDOMEventTargetHelper)
 
 NS_IMPL_ADDREF_INHERITED(IDBWrapperCache, nsDOMEventTargetHelper)
 NS_IMPL_RELEASE_INHERITED(IDBWrapperCache, nsDOMEventTargetHelper)
+
+IDBWrapperCache::~IDBWrapperCache()
+{
+  if (mScriptOwner) {
+    NS_DROP_JS_OBJECTS(this, IDBWrapperCache);
+  }
+}
+
+bool
+IDBWrapperCache::SetScriptOwner(JSObject* aScriptOwner)
+{
+  if (!aScriptOwner) {
+    NS_ASSERTION(!mScriptOwner,
+                 "Don't null out existing owner, we need to call "
+                 "DropJSObjects!");
+
+    return true;
+  }
+
+  mScriptOwner = aScriptOwner;
+
+  nsISupports* thisSupports = NS_CYCLE_COLLECTION_UPCAST(this, IDBWrapperCache);
+  nsXPCOMCycleCollectionParticipant* participant;
+  CallQueryInterface(this, &participant);
+  nsresult rv = nsContentUtils::HoldJSObjects(thisSupports, participant);
+  if (NS_FAILED(rv)) {
+    NS_WARNING("nsContentUtils::HoldJSObjects failed.");
+    mScriptOwner = nsnull;
+    return false;
+  }
+
+  return true;
+}

dom/indexedDB/IDBWrapperCache.h

@@ -25,6 +25,7 @@ public:
   {
     return mScriptOwner;
   }
+  bool SetScriptOwner(JSObject* aScriptOwner);
 
   nsIScriptContext* GetScriptContext() const
   {
@@ -60,9 +61,9 @@ protected:
   : mScriptOwner(nsnull)
   { }
 
-  virtual ~IDBWrapperCache()
-  { }
+  virtual ~IDBWrapperCache();
 
+private:
   JSObject* mScriptOwner;
 };