#416: M1374047 M1365413 M1369913 M1371424 M1346590 M1376087 M1322896 M1354796 M1365333 M1373970 M1355168

2024-06-01 01:41:37 +00:00 · 2017-07-16 17:51:39 -07:00 · 2017-07-16 17:51:39 -07:00 · 1bc1dd390d
commit 1bc1dd390d
parent 687ba7579f
11 changed files with 120 additions and 26 deletions
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -11317,6 +11317,21 @@ nsDocShell::OnNewURI(nsIURI* aURI, nsIChannel* aChannel, nsISupports* aOwner,
      (void)AddToSessionHistory(aURI, aChannel, aOwner, aCloneSHChildren,
                                getter_AddRefs(mLSHE));
    }
  } else if (mSessionHistory && mLSHE && mURIResultedInDocument) {
    // Even if we don't add anything to SHistory, ensure the current index
    // points to the same SHEntry as our mLSHE.
    int32_t index = 0;
    mSessionHistory->GetRequestedIndex(&index);
    if (index == -1) {
      mSessionHistory->GetIndex(&index);
    }
    nsCOMPtr<nsISHEntry> currentSH;
    mSessionHistory->GetEntryAtIndex(index, false, getter_AddRefs(currentSH));
    if (currentSH != mLSHE) {
      nsCOMPtr<nsISHistoryInternal> shPrivate =
        do_QueryInterface(mSessionHistory);
      shPrivate->ReplaceEntry(index, mLSHE);
    }
  }
  // If this is a POST request, we do not want to include this in global
--- a/dom/base/DirectionalityUtils.cpp
+++ b/dom/base/DirectionalityUtils.cpp
@ -209,6 +209,7 @@
 #include "nsINode.h"
 #include "nsIContent.h"
 #include "nsIDocument.h"
 #include "mozilla/AutoRestore.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/dom/Element.h"
 #include "nsIDOMHTMLDocument.h"
@ -441,6 +442,7 @@ class nsTextNodeDirectionalityMap
 public:
  explicit nsTextNodeDirectionalityMap(nsINode* aTextNode)
    : mElementToBeRemoved(nullptr)
  {
    MOZ_ASSERT(aTextNode, "Null text node");
    MOZ_COUNT_CTOR(nsTextNodeDirectionalityMap);
@ -454,11 +456,28 @@ public:
    MOZ_COUNT_DTOR(nsTextNodeDirectionalityMap);
  }
  static void
  nsTextNodeDirectionalityMapPropertyDestructor(void* aObject,
                                                nsIAtom* aProperty,
                                                void* aPropertyValue,
                                                void* aData)
  {
    nsTextNode* textNode =
      static_cast<nsTextNode*>(aPropertyValue);
    nsTextNodeDirectionalityMap* map = GetDirectionalityMap(textNode);
    if (map) {
      map->RemoveEntryForProperty(static_cast<Element*>(aObject));
    }
    NS_RELEASE(textNode);
  }
  void AddEntry(nsINode* aTextNode, Element* aElement)
  {
    if (!mElements.Contains(aElement)) {
      mElements.Put(aElement);
-      aElement->SetProperty(nsGkAtoms::dirAutoSetBy, aTextNode);
+      NS_ADDREF(aTextNode);
      aElement->SetProperty(nsGkAtoms::dirAutoSetBy, aTextNode,
                            nsTextNodeDirectionalityMapPropertyDestructor);
      aElement->SetHasDirAutoSet();
    }
  }
@ -470,11 +489,21 @@ public:
    mElements.Remove(aElement);
    aElement->ClearHasDirAutoSet();
-    aElement->UnsetProperty(nsGkAtoms::dirAutoSetBy);
+    aElement->DeleteProperty(nsGkAtoms::dirAutoSetBy);
  }
  void RemoveEntryForProperty(Element* aElement)
  {
    if (mElementToBeRemoved != aElement) {
      mElements.Remove(aElement);
    }
    aElement->ClearHasDirAutoSet();
  }
 private:
-  nsCheapSet<nsPtrHashKey<Element> > mElements;
+  nsCheapSet<nsPtrHashKey<Element>> mElements;
  // Only used for comparison.
  Element* mElementToBeRemoved;
  static nsTextNodeDirectionalityMap* GetDirectionalityMap(nsINode* aTextNode)
  {
@ -498,18 +527,29 @@ private:
    return OpNext;
  }
  struct nsTextNodeDirectionalityMapAndElement
  {
    nsTextNodeDirectionalityMap* mMap;
    nsCOMPtr<nsINode> mNode;
  };
  static nsCheapSetOperator ResetNodeDirection(nsPtrHashKey<Element>* aEntry, void* aData)
  {
    MOZ_ASSERT(aEntry->GetKey()->IsElement(), "Must be an Element");
    // run the downward propagation algorithm
    // and remove the text node from the map
-    nsINode* oldTextNode = static_cast<Element*>(aData);
+    nsTextNodeDirectionalityMapAndElement* data =
      static_cast<nsTextNodeDirectionalityMapAndElement*>(aData);
    nsINode* oldTextNode = data->mNode;
    Element* rootNode = aEntry->GetKey();
    nsINode* newTextNode = nullptr;
    if (rootNode->GetParentNode() && rootNode->HasDirAuto()) {
      newTextNode = WalkDescendantsSetDirectionFromText(rootNode, true,
                                                        oldTextNode);
    }
    AutoRestore<Element*> restore(data->mMap->mElementToBeRemoved);
    data->mMap->mElementToBeRemoved = rootNode;
    if (newTextNode) {
      nsINode* oldDirAutoSetBy = 
        static_cast<nsTextNode*>(rootNode->GetProperty(nsGkAtoms::dirAutoSetBy));
@ -520,7 +560,7 @@ private:
      nsTextNodeDirectionalityMap::AddEntryToMap(newTextNode, rootNode);
    } else {
      rootNode->ClearHasDirAutoSet();
-      rootNode->UnsetProperty(nsGkAtoms::dirAutoSetBy);
+      rootNode->DeleteProperty(nsGkAtoms::dirAutoSetBy);
    }
    return OpRemove;
  }
@ -529,7 +569,7 @@ private:
  {
    Element* rootNode = aEntry->GetKey();
    rootNode->ClearHasDirAutoSet();
-    rootNode->UnsetProperty(nsGkAtoms::dirAutoSetBy);
+    rootNode->DeleteProperty(nsGkAtoms::dirAutoSetBy);
    return OpRemove;
  }
@ -541,11 +581,13 @@ public:
  void ResetAutoDirection(nsINode* aTextNode)
  {
-    mElements.EnumerateEntries(ResetNodeDirection, aTextNode);
+    nsTextNodeDirectionalityMapAndElement data = { this, aTextNode };
    mElements.EnumerateEntries(ResetNodeDirection, &data);
  }
  void EnsureMapIsClear(nsINode* aTextNode)
  {
    AutoRestore<Element*> restore(mElementToBeRemoved);
    DebugOnly<uint32_t> clearedEntries =
      mElements.EnumerateEntries(ClearEntry, aTextNode);
    MOZ_ASSERT(clearedEntries == 0, "Map should be empty already");
@ -581,7 +623,8 @@ public:
  {
    MOZ_ASSERT(aTextNode->HasTextNodeDirectionalityMap(),
               "Map missing in ResetTextNodeDirection");
-    GetDirectionalityMap(aTextNode)->ResetAutoDirection(aChangedTextNode);
+    RefPtr<nsTextNode> textNode = aTextNode;
    GetDirectionalityMap(textNode)->ResetAutoDirection(aChangedTextNode);
  }
  static void EnsureMapIsClearFor(nsINode* aTextNode)
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@ -3102,6 +3102,7 @@ static nsIAtom** sPropertiesToTraverseAndUnlink[] =
    &nsGkAtoms::itemprop,
    &nsGkAtoms::sandbox,
    &nsGkAtoms::sizes,
    &nsGkAtoms::dirAutoSetBy,
    nullptr
  };
--- a/dom/base/WebSocket.cpp
+++ b/dom/base/WebSocket.cpp
@ -10,6 +10,7 @@
 #include "jsapi.h"
 #include "jsfriendapi.h"
 #include "mozilla/CheckedInt.h"
 #include "mozilla/DOMEventTargetHelper.h"
 #include "mozilla/net/WebSocketChannel.h"
 #include "mozilla/dom/File.h"
@ -610,6 +611,10 @@ WebSocketImpl::Disconnect()
  AssertIsOnTargetThread();
  // DontKeepAliveAnyMore() and DisconnectInternal() can release the object. So
  // hold a reference to this until the end of the method.
  RefPtr<WebSocketImpl> kungfuDeathGrip = this;
  // Disconnect can be called from some control event (such as Notify() of
  // WorkerFeature). This will be schedulated before any other sync/async
  // runnable. In order to prevent some double Disconnect() calls, we use this
@ -631,10 +636,6 @@ WebSocketImpl::Disconnect()
    rv.SuppressException();
  }
  // DontKeepAliveAnyMore() can release the object. So hold a reference to this
  // until the end of the method.
  RefPtr<WebSocketImpl> kungfuDeathGrip = this;
  NS_ReleaseOnMainThread(mChannel);
  NS_ReleaseOnMainThread(static_cast<nsIWebSocketEventService*>(mService.forget().take()));
@ -2380,7 +2381,14 @@ WebSocket::Send(nsIInputStream* aMsgStream,
  }
  // Always increment outgoing buffer len, even if closed
-  mOutgoingBufferedAmount += aMsgLength;
+  CheckedUint32 size = mOutgoingBufferedAmount;
  size += aMsgLength;
  if (MOZ_UNLIKELY(!size.isValid())) {
    aRv.Throw(NS_ERROR_OUT_OF_MEMORY);
    return;
  }
  mOutgoingBufferedAmount = size.value();
  if (readyState == CLOSING ||
      readyState == CLOSED) {
--- a/dom/base/nsImageLoadingContent.cpp
+++ b/dom/base/nsImageLoadingContent.cpp
@ -148,15 +148,22 @@ nsImageLoadingContent::Notify(imgIRequest* aRequest,
  }
  {
-    nsAutoScriptBlocker scriptBlocker;
+    // Calling Notify on observers can modify the list of observers so make
-
+    // a local copy.
    nsAutoTArray<nsCOMPtr<imgINotificationObserver>, 2> observers;
    for (ImageObserver* observer = &mObserverList, *next; observer;
         observer = next) {
      next = observer->mNext;
      if (observer->mObserver) {
-        observer->mObserver->Notify(aRequest, aType, aData);
+        observers.AppendElement(observer->mObserver);
      }
    }
    nsAutoScriptBlocker scriptBlocker;
    for (auto& observer : observers) {
        observer->Notify(aRequest, aType, aData);
    }
  }
  if (aType == imgINotificationObserver::SIZE_AVAILABLE) {
--- a/dom/bindings/TypedArray.h
+++ b/dom/bindings/TypedArray.h
@ -44,11 +44,13 @@ protected:
 public:
  inline void TraceSelf(JSTracer* trc)
  {
    // XXX: Until we implement something like bug 1235598 (and its successor
    // bug 1238786), we need these null checks.
    if (mTypedObj) {
      JS_CallUnbarrieredObjectTracer(trc, &mTypedObj, "TypedArray.mTypedObj");
    }
    if (mWrappedObj) {
-      JS_CallUnbarrieredObjectTracer(trc, &mTypedObj, "TypedArray.mWrappedObj");
+      JS_CallUnbarrieredObjectTracer(trc, &mWrappedObj, "TypedArray.mWrappedObj");
    }
  }
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@ -4822,7 +4822,17 @@ CanvasRenderingContext2D::DrawWindow(nsGlobalWindow& window, double x,
    return;
  }
  // Flush layout updates
  if (!(flags & nsIDOMCanvasRenderingContext2D::DRAWWINDOW_DO_NOT_FLUSH)) {
    nsContentUtils::FlushLayoutForTree(&window);
  }
  EnsureTarget();
  if (!IsTargetValid()) {
    return;
  }
  // We can't allow web apps to call this until we fix at least the
  // following potential security issues:
  // -- rendering cross-domain IFRAMEs and then extracting the results
@ -4836,11 +4846,6 @@ CanvasRenderingContext2D::DrawWindow(nsGlobalWindow& window, double x,
    return;
  }
  // Flush layout updates
  if (!(flags & nsIDOMCanvasRenderingContext2D::DRAWWINDOW_DO_NOT_FLUSH)) {
    nsContentUtils::FlushLayoutForTree(&window);
  }
  RefPtr<nsPresContext> presContext;
  nsIDocShell* docshell = window.GetDocShell();
  if (docshell) {
--- a/dom/canvas/ImageBitmap.cpp
+++ b/dom/canvas/ImageBitmap.cpp
@ -5,6 +5,7 @@
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "mozilla/dom/ImageBitmap.h"
 #include "mozilla/CheckedInt.h"
 #include "mozilla/dom/ImageBitmapBinding.h"
 #include "mozilla/dom/Promise.h"
 #include "mozilla/dom/StructuredCloneTags.h"
@ -132,10 +133,14 @@ CropAndCopyDataSourceSurface(DataSourceSurface* aSurface, const IntRect& aCropRe
                                             + surfPortion.x * bytesPerPixel;
    uint8_t* dstBufferPtr = dstMap.GetData() + dest.y * dstMap.GetStride()
                                             + dest.x * bytesPerPixel;
-    const uint32_t copiedBytesPerRaw = surfPortion.width * bytesPerPixel;
+    CheckedInt<uint32_t> copiedBytesPerRaw =
      CheckedInt<uint32_t>(surfPortion.width) * bytesPerPixel;
    if (MOZ_UNLIKELY(!copiedBytesPerRaw.isValid())) {
      return nullptr;
    }
    for (int i = 0; i < surfPortion.height; ++i) {
-      memcpy(dstBufferPtr, srcBufferPtr, copiedBytesPerRaw);
+      memcpy(dstBufferPtr, srcBufferPtr, copiedBytesPerRaw.value());
      srcBufferPtr += srcMap.GetStride();
      dstBufferPtr += dstMap.GetStride();
    }
--- a/layout/base/nsDisplayList.cpp
+++ b/layout/base/nsDisplayList.cpp
@ -3328,6 +3328,10 @@ nsDisplayLayerEventRegions::AddFrame(nsDisplayListBuilder* aBuilder,
  if (borderBoxHasRoundedCorners ||
      (aFrame->GetStateBits() & NS_FRAME_SVG_LAYOUT)) {
    mMaybeHitRegion.Or(mMaybeHitRegion, borderBox);
    // Avoid quadratic performance as a result of the region growing to include
    // an arbitrarily large number of rects, which can happen on some pages.
    mMaybeHitRegion.SimplifyOutward(8);
  } else {
    mHitRegion.Or(mHitRegion, borderBox);
  }
--- a/netwerk/base/nsFileStreams.cpp
+++ b/netwerk/base/nsFileStreams.cpp
@ -897,6 +897,10 @@ nsAtomicFileOutputStream::DoOpen()
    nsCOMPtr<nsIFile> file;
    file.swap(mOpenParams.localFile);
    if(MOZ_UNLIKELY(!file)) {
      return NS_ERROR_NOT_INITIALIZED;
    }
    nsresult rv = file->Exists(&mTargetFileExists);
    if (NS_FAILED(rv)) {
        NS_ERROR("Can't tell if target file exists");
--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
@ -2831,9 +2831,9 @@ nsHttpConnectionMgr::TimeoutTickCB(const nsACString &key,
                LOG(("Force timeout of half open to %s after %.2fms.\n",
                     ent->mConnInfo->HashKey().get(), delta));
                if (half->SocketTransport())
-                    half->SocketTransport()->Close(NS_ERROR_ABORT);
+                    half->SocketTransport()->Close(NS_ERROR_NET_TIMEOUT);
                if (half->BackupTransport())
-                    half->BackupTransport()->Close(NS_ERROR_ABORT);
+                    half->BackupTransport()->Close(NS_ERROR_NET_TIMEOUT);
            }
            // If this half open hangs around for 5 seconds after we've closed() it