Bug 1146316 - Preserve the wrapper of sandboxes, so that we never try to call WrapObject on them. r=bz.

--HG-- extra : rebase_source : a520fe62e7831c4a73f0ee4365c55f93965e14b6
2024-10-24 10:45:42 +00:00 · 2018-04-11 11:52:13 +02:00 · 2018-04-11 11:52:13 +02:00 · f2ba86d2a9
commit f2ba86d2a9
parent adbd1ab2da
3 changed files with 36 additions and 13 deletions
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@ -1051,11 +1051,8 @@ xpc::CreateSandboxObject(JSContext* cx, MutableHandleValue vp, nsISupports* prin
    {
        JSAutoCompartment ac(cx, sandbox);

-        nsCOMPtr<nsIScriptObjectPrincipal> sbp =
-            new SandboxPrivate(principal, sandbox);
-
-        // Pass on ownership of sbp to |sandbox|.
-        JS_SetPrivate(sandbox, sbp.forget().take());
+        // This creates a SandboxPrivate and passes ownership of it to |sandbox|.
+        SandboxPrivate::Create(principal, sandbox);

        // Ensure |Object.prototype| is instantiated before prototype-
        // splicing below.
--- a/js/xpconnect/src/SandboxPrivate.h
+++ b/js/xpconnect/src/SandboxPrivate.h
@ -22,17 +22,28 @@ class SandboxPrivate : public nsIGlobalObject,
                       public nsWrapperCache
 {
 public:
-    SandboxPrivate(nsIPrincipal* principal, JSObject* global)
-        : mPrincipal(principal)
-    {
-        SetIsNotDOMBinding();
-        SetWrapper(global);
-    }
-
    NS_DECL_CYCLE_COLLECTING_ISUPPORTS
    NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_AMBIGUOUS(SandboxPrivate,
                                                           nsIGlobalObject)

+    static void Create(nsIPrincipal* principal, JS::Handle<JSObject*> global)
+    {
+        RefPtr<SandboxPrivate> sbp = new SandboxPrivate(principal);
+        sbp->SetWrapper(global);
+        sbp->PreserveWrapper(ToSupports(sbp.get()));
+
+        // Pass on ownership of sbp to |global|.
+        // The type used to cast to void needs to match the one in GetPrivate.
+        JS_SetPrivate(global, static_cast<nsIScriptObjectPrincipal*>(sbp.forget().take()));
+    }
+
+    static SandboxPrivate* GetPrivate(JSObject* obj)
+    {
+        // The type used to cast to void needs to match the one in Create.
+        return static_cast<SandboxPrivate*>(
+            static_cast<nsIScriptObjectPrincipal*>(JS_GetPrivate(obj)));
+    }
+
    nsIPrincipal* GetPrincipal() override
    {
        return mPrincipal;
@ -60,7 +71,14 @@ public:
    }

 private:
-    virtual ~SandboxPrivate() { }
+    explicit SandboxPrivate(nsIPrincipal* principal)
+        : mPrincipal(principal)
+    {
+        SetIsNotDOMBinding();
+    }
+
+    virtual ~SandboxPrivate()
+    { }

    nsCOMPtr<nsIPrincipal> mPrincipal;
 };
--- a/js/xpconnect/src/XPCJSRuntime.cpp
+++ b/js/xpconnect/src/XPCJSRuntime.cpp
@ -3047,7 +3047,15 @@ XPCJSRuntime::InitSingletonScopes()
 void
 XPCJSRuntime::DeleteSingletonScopes()
 {
+    // We're pretty late in shutdown, so we call ReleaseWrapper on the scopes. This way
+    // the GC can collect them immediately, and we don't rely on the CC to clean up.
+    RefPtr<SandboxPrivate> sandbox = SandboxPrivate::GetPrivate(mUnprivilegedJunkScope);
+    sandbox->ReleaseWrapper(sandbox);
    mUnprivilegedJunkScope = nullptr;
+    sandbox = SandboxPrivate::GetPrivate(mPrivilegedJunkScope);
+    sandbox->ReleaseWrapper(sandbox);
    mPrivilegedJunkScope = nullptr;
+    sandbox = SandboxPrivate::GetPrivate(mCompilationScope);
+    sandbox->ReleaseWrapper(sandbox);
    mCompilationScope = nullptr;
 }