#410: M1363963

2024-06-06 06:29:31 +00:00 · 2017-06-28 20:08:10 -07:00 · 2017-06-28 20:08:10 -07:00 · 467573125f
commit 467573125f
parent 4f0b6c8932
2 changed files with 19 additions and 10 deletions
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@ -965,7 +965,7 @@ XrayTraits::expandoObjectMatchesConsumer(JSContext* cx,
 }

 bool
-XrayTraits::getExpandoObjectInternal(JSContext* cx, HandleObject target,
+XrayTraits::getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain,
                                     nsIPrincipal* origin,
                                     JSObject* exclusiveGlobalArg,
                                     MutableHandleObject expandoObject)
@ -976,12 +976,12 @@ XrayTraits::getExpandoObjectInternal(JSContext* cx, HandleObject target,
    // The expando object lives in the compartment of the target, so all our
    // work needs to happen there.
    RootedObject exclusiveGlobal(cx, exclusiveGlobalArg);
-    JSAutoCompartment ac(cx, target);
+    RootedObject head(cx, expandoChain);
+    JSAutoCompartment ac(cx, head);
    if (!JS_WrapObject(cx, &exclusiveGlobal))
        return false;

    // Iterate through the chain, looking for a same-origin object.
-    RootedObject head(cx, getExpandoChain(target));
    while (head) {
        if (expandoObjectMatchesConsumer(cx, head, origin, exclusiveGlobal)) {
            expandoObject.set(head);
@ -998,9 +998,15 @@ bool
 XrayTraits::getExpandoObject(JSContext* cx, HandleObject target, HandleObject consumer,
                             MutableHandleObject expandoObject)
 {
+    // Return early if no expando object has ever been attached, which is
+    // usually the case.
+    JSObject* chain = getExpandoChain(target);
+    if (!chain)
+        return true;
+
    JSObject* consumerGlobal = js::GetGlobalForObjectCrossCompartment(consumer);
    bool isSandbox = !strcmp(js::GetObjectJSClass(consumerGlobal)->name, "Sandbox");
-    return getExpandoObjectInternal(cx, target, ObjectPrincipal(consumer),
+    return getExpandoObjectInternal(cx, chain, ObjectPrincipal(consumer),
                                    isSandbox ? consumerGlobal : nullptr,
                                    expandoObject);
 }
@ -1016,11 +1022,14 @@ XrayTraits::attachExpandoObject(JSContext* cx, HandleObject target,
    // No duplicates allowed.
 #ifdef DEBUG
    {
-        RootedObject existingExpandoObject(cx);
-        if (getExpandoObjectInternal(cx, target, origin, exclusiveGlobal, &existingExpandoObject))
-            MOZ_ASSERT(!existingExpandoObject);
-        else
-            JS_ClearPendingException(cx);
+        JSObject* chain = getExpandoChain(target);
+        if (chain) {
+            RootedObject existingExpandoObject(cx);
+            if (getExpandoObjectInternal(cx, chain, origin, exclusiveGlobal, &existingExpandoObject))
+                MOZ_ASSERT(!existingExpandoObject);
+            else
+                JS_ClearPendingException(cx);
+        }
    }
 #endif

--- a/js/xpconnect/wrappers/XrayWrapper.h
+++ b/js/xpconnect/wrappers/XrayWrapper.h
@ -106,7 +106,7 @@ private:
    bool expandoObjectMatchesConsumer(JSContext* cx, JS::HandleObject expandoObject,
                                      nsIPrincipal* consumerOrigin,
                                      JS::HandleObject exclusiveGlobal);
-    bool getExpandoObjectInternal(JSContext* cx, JS::HandleObject target,
+    bool getExpandoObjectInternal(JSContext* cx, JSObject* expandoChain,
                                  nsIPrincipal* origin, JSObject* exclusiveGlobal,
                                  JS::MutableHandleObject expandoObject);
    JSObject* attachExpandoObject(JSContext* cx, JS::HandleObject target,