Merge inbound to m-c. a=merge

mozilla-spidermonkey · Jan 26, 2015 · 1a7fc67 · 1a7fc67
2 parents 990e6af + 488af48
commit 1a7fc67
Show file tree

Hide file tree

Showing 126 changed files with 2,440 additions and 933 deletions.
diff --git a/accessible/generic/Accessible.cpp b/accessible/generic/Accessible.cpp
@@ -525,11 +525,8 @@ Accessible::ChildAtPoint(int32_t aX, int32_t aY,
 {
   // If we can't find the point in a child, we will return the fallback answer:
   // we return |this| if the point is within it, otherwise nullptr.
-  nsIntRect rect = Bounds();
-  if (rect.IsEmpty())
-   return nullptr;
-
   Accessible* fallbackAnswer = nullptr;
+  nsIntRect rect = Bounds();
   if (aX >= rect.x && aX < rect.x + rect.width &&
       aY >= rect.y && aY < rect.y + rect.height)
     fallbackAnswer = this;

diff --git a/accessible/tests/mochitest/hittest/test_general.html b/accessible/tests/mochitest/hittest/test_general.html
@@ -68,6 +68,8 @@
       hitTest("imgmap", theLetterA, theLetterA);
       hitTest("container", "imgmap", theLetterA);
 
+      // hit testing for element contained by zero-width element
+      hitTest("container2", "container2_input", "container2_input");
       SimpleTest.finish();
     }
 
@@ -106,5 +108,8 @@
     <img id="imgmap" width="447" height="15" usemap="#atoz_map" src="../letters.gif"/>
   </div>
 
+  <div id="container2" style="width: 0px">
+    <input id="container2_input">
+  </div>
 </body>
 </html>
diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
@@ -1186,7 +1186,7 @@ pref("security.sandbox.windows.log", false);
 // To get a different setting for a particular plugin replace "default", with
 // the plugin's nice file name, see: nsPluginTag::GetNiceFileName.
 pref("dom.ipc.plugins.sandbox.default", false);
-pref("dom.ipc.plugins.sandbox.flash", false);
+pref("dom.ipc.plugins.sandbox.flash", true);
 
 #if defined(MOZ_CONTENT_SANDBOX)
 // This controls whether the Windows content process sandbox is using a more

diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
@@ -3383,10 +3383,8 @@ nsDocShell::SetDocLoaderParent(nsDocLoader * aParent)
         {
             SetIsActive(value);
         }
-        if (NS_SUCCEEDED(parentAsDocShell->GetIsPrerendered(&value))) {
-            if (value) {
-                SetIsPrerendered(true);
-            }
+        if (parentAsDocShell->GetIsPrerendered()) {
+          SetIsPrerendered(true);
         }
         if (NS_FAILED(parentAsDocShell->GetAllowDNSPrefetch(&value))) {
             value = false;

diff --git a/docshell/base/nsIDocShell.idl b/docshell/base/nsIDocShell.idl
@@ -624,7 +624,7 @@ interface nsIDocShell : nsIDocShellTreeItem
    * native code to be able to put a docshell in prerendering.
    */
   [noscript] void SetIsPrerendered(in boolean prerendered);
-  readonly attribute boolean isPrerendered;
+  [infallible] readonly attribute boolean isPrerendered;
 
   /**
    * The ID of the docshell in the session history.

diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp
@@ -397,10 +397,10 @@ EventListenerManagerHashClearEntry(PLDHashTable *table, PLDHashEntryHdr *entry)
   lm->~EventListenerManagerMapEntry();
 }
 
-class SameOriginChecker MOZ_FINAL : public nsIChannelEventSink,
-                                    public nsIInterfaceRequestor
+class SameOriginCheckerImpl MOZ_FINAL : public nsIChannelEventSink,
+                                        public nsIInterfaceRequestor
 {
-  ~SameOriginChecker() {}
+  ~SameOriginCheckerImpl() {}
 
   NS_DECL_ISUPPORTS
   NS_DECL_NSICHANNELEVENTSINK
@@ -5648,11 +5648,11 @@ nsContentUtils::StringContainsASCIIUpper(const nsAString& aStr)
 
 /* static */
 nsIInterfaceRequestor*
-nsContentUtils::GetSameOriginChecker()
+nsContentUtils::SameOriginChecker()
 {
   if (!sSameOriginChecker) {
-    sSameOriginChecker = new SameOriginChecker();
-    NS_IF_ADDREF(sSameOriginChecker);
+    sSameOriginChecker = new SameOriginCheckerImpl();
+    NS_ADDREF(sSameOriginChecker);
   }
   return sSameOriginChecker;
 }
@@ -5683,15 +5683,15 @@ nsContentUtils::CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel
   return rv;
 }
 
-NS_IMPL_ISUPPORTS(SameOriginChecker,
+NS_IMPL_ISUPPORTS(SameOriginCheckerImpl,
                   nsIChannelEventSink,
                   nsIInterfaceRequestor)
 
 NS_IMETHODIMP
-SameOriginChecker::AsyncOnChannelRedirect(nsIChannel *aOldChannel,
-                                          nsIChannel *aNewChannel,
-                                          uint32_t aFlags,
-                                          nsIAsyncVerifyRedirectCallback *cb)
+SameOriginCheckerImpl::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
+                                              nsIChannel* aNewChannel,
+                                              uint32_t aFlags,
+                                              nsIAsyncVerifyRedirectCallback* cb)
 {
   NS_PRECONDITION(aNewChannel, "Redirecting to null channel?");
 
@@ -5704,7 +5704,7 @@ SameOriginChecker::AsyncOnChannelRedirect(nsIChannel *aOldChannel,
 }
 
 NS_IMETHODIMP
-SameOriginChecker::GetInterface(const nsIID & aIID, void **aResult)
+SameOriginCheckerImpl::GetInterface(const nsIID& aIID, void** aResult)
 {
   return QueryInterface(aIID, aResult);
 }

diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h
@@ -1635,7 +1635,7 @@ class nsContentUtils
 
   // Returns NS_OK for same origin, error (NS_ERROR_DOM_BAD_URI) if not.
   static nsresult CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel);
-  static nsIInterfaceRequestor* GetSameOriginChecker();
+  static nsIInterfaceRequestor* SameOriginChecker();
 
   /**
    * Get the Origin of the passed in nsIPrincipal or nsIURI. If the passed in

diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
@@ -1337,8 +1337,7 @@ nsExternalResourceMap::PendingLoad::StartLoad(nsIURI* aURI,
 
   nsIDocument* doc = aRequestingNode->OwnerDoc();
 
-  nsCOMPtr<nsIInterfaceRequestor> req = nsContentUtils::GetSameOriginChecker();
-  NS_ENSURE_TRUE(req, NS_ERROR_OUT_OF_MEMORY);
+  nsCOMPtr<nsIInterfaceRequestor> req = nsContentUtils::SameOriginChecker();
 
   nsCOMPtr<nsILoadGroup> loadGroup = doc->GetDocumentLoadGroup();
   nsCOMPtr<nsIChannel> channel;

diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp
@@ -4342,10 +4342,11 @@ nsGlobalWindow::GetOwnPropertyNames(JSContext* aCx, nsTArray<nsString>& aNames,
 }
 
 /* static */ bool
-nsGlobalWindow::IsChromeWindow(JSContext* aCx, JSObject* aObj)
+nsGlobalWindow::IsPrivilegedChromeWindow(JSContext* aCx, JSObject* aObj)
 {
   // For now, have to deal with XPConnect objects here.
-  return xpc::WindowOrNull(aObj)->IsChromeWindow();
+  return xpc::WindowOrNull(aObj)->IsChromeWindow() &&
+         nsContentUtils::ObjectPrincipal(aObj) == nsContentUtils::GetSystemPrincipal();
 }
 
 /* static */ bool

diff --git a/dom/base/nsGlobalWindow.h b/dom/base/nsGlobalWindow.h
@@ -491,7 +491,7 @@ class nsGlobalWindow : public mozilla::dom::EventTarget,
 
   void GetSupportedNames(nsTArray<nsString>& aNames);
 
-  static bool IsChromeWindow(JSContext* /* unused */, JSObject* aObj);
+  static bool IsPrivilegedChromeWindow(JSContext* /* unused */, JSObject* aObj);
 
   static bool IsShowModalDialogEnabled(JSContext* /* unused */ = nullptr,
                                        JSObject* /* unused */ = nullptr);

diff --git a/dom/bindings/BindingUtils.cpp b/dom/bindings/BindingUtils.cpp
@@ -20,6 +20,7 @@
 #include "jsfriendapi.h"
 #include "nsContentUtils.h"
 #include "nsGlobalWindow.h"
+#include "nsIDocShell.h"
 #include "nsIDOMGlobalPropertyInitializer.h"
 #include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
@@ -2381,12 +2382,47 @@ CheckPermissions(JSContext* aCx, JSObject* aObj, const char* const aPermissions[
   return false;
 }
 
+void
+HandlePrerenderingViolation(nsPIDOMWindow* aWindow)
+{
+  // Suspend the window and its workers, and its children too.
+  aWindow->SuspendTimeouts();
+
+  // Suspend event handling on the document
+  nsCOMPtr<nsIDocument> doc = aWindow->GetExtantDoc();
+  if (doc) {
+    doc->SuppressEventHandling(nsIDocument::eEvents);
+  }
+}
+
 bool
-CheckSafetyInPrerendering(JSContext* aCx, JSObject* aObj)
+EnforceNotInPrerendering(JSContext* aCx, JSObject* aObj)
 {
-  //TODO: Check if page is being prerendered.
-  //Returning false for now.
-  return false;
+  JS::Rooted<JSObject*> thisObj(aCx, js::CheckedUnwrap(aObj));
+  if (!thisObj) {
+    // Without a this object, we cannot check the safety.
+    return true;
+  }
+  nsGlobalWindow* window = xpc::WindowGlobalOrNull(thisObj);
+  if (!window) {
+    // Without a window, we cannot check the safety.
+    return true;
+  }
+
+  nsIDocShell* docShell = window->GetDocShell();
+  if (!docShell) {
+    // Without a docshell, we cannot check the safety.
+    return true;
+  }
+
+  if (docShell->GetIsPrerendered()) {
+    HandlePrerenderingViolation(window);
+    // When the bindings layer sees a false return value, it returns false form
+    // the JSNative in order to trigger an uncatchable exception.
+    return false;
+  }
+
+  return true;
 }
 
 bool

diff --git a/dom/bindings/BindingUtils.h b/dom/bindings/BindingUtils.h
@@ -3142,9 +3142,20 @@ AssertReturnTypeMatchesJitinfo(const JSJitInfo* aJitinfo,
 bool
 CheckPermissions(JSContext* aCx, JSObject* aObj, const char* const aPermissions[]);
 
-//Returns true if page is being prerendered.
+// This function is called by the bindings layer for methods/getters/setters
+// that are not safe to be called in prerendering mode.  It checks to make sure
+// that the |this| object is not running in a global that is in prerendering
+// mode.  Otherwise, it aborts execution of timers and event handlers, and
+// returns false which gets converted to an uncatchable exception by the
+// bindings layer.
 bool
-CheckSafetyInPrerendering(JSContext* aCx, JSObject* aObj);
+EnforceNotInPrerendering(JSContext* aCx, JSObject* aObj);
+
+// Handles the violation of a blacklisted action in prerendering mode by
+// aborting the scripts, and preventing timers and event handlers from running
+// in the window in the future.
+void
+HandlePrerenderingViolation(nsPIDOMWindow* aWindow);
 
 bool
 CallerSubsumes(JSObject* aObject);

diff --git a/dom/bindings/Bindings.conf b/dom/bindings/Bindings.conf
@@ -1829,7 +1829,7 @@ addExternalIface('MozRDFCompositeDataSource', nativeType='nsIRDFCompositeDataSou
 addExternalIface('MozRDFResource', nativeType='nsIRDFResource', notflattened=True)
 addExternalIface('MozSmsMessage')
 addExternalIface('MozTreeView', nativeType='nsITreeView',
-                  headerFile='nsITreeView.h')
+                  headerFile='nsITreeView.h', notflattened=True)
 addExternalIface('MozWakeLockListener', headerFile='nsIDOMWakeLockListener.h')
 addExternalIface('MozXULTemplateBuilder', nativeType='nsIXULTemplateBuilder')
 addExternalIface('nsIBrowserDOMWindow', nativeType='nsIBrowserDOMWindow',

diff --git a/dom/bindings/Codegen.py b/dom/bindings/Codegen.py
@@ -6506,8 +6506,10 @@ def __init__(self, returnType, arguments, nativeMethodName, static,
                 for i in descriptor.interface.getInheritedInterfaces())):
                 cgThings.append(CGGeneric(dedent(
                     """
-                    if (mozilla::dom::CheckSafetyInPrerendering(cx, obj)) {
-                        //TODO: Handle call into unsafe API during Prerendering (Bug 730101)
+                    if (!mozilla::dom::EnforceNotInPrerendering(cx, obj)) {
+                        // Return false from the JSNative in order to trigger
+                        // an uncatchable exception.
+                        MOZ_ASSERT(!JS_IsExceptionPending(cx));
                         return false;
                     }
                     """)))

diff --git a/dom/bindings/test/chrome.ini b/dom/bindings/test/chrome.ini
@@ -6,3 +6,8 @@
 [test_dom_xrays.html]
 [test_proxies_via_xray.html]
 [test_document_location_via_xray_cached.html]
+[test_blacklisted_prerendering_function.xul]
+support-files =
+  file_focuser.html
+  file_fullScreenPropertyAccessor.html
+skip-if = e10s # prerendering doesn't work in e10s yet
diff --git a/dom/bindings/test/file_focuser.html b/dom/bindings/test/file_focuser.html
@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<div id="stage"></div>
+<script>
+  function stage(str) {
+    var s = document.getElementById("stage");
+    s.textContent = str;
+  }
+  stage("before");
+  setTimeout(function() {
+    stage("in timeout");
+  });
+  setInterval(function() {
+    stage("in interval");
+  });
+  addEventListener("keydown", function() {
+    stage("keydown");
+  }, false);
+  try {
+    focus();
+    stage("after");
+  } catch(e) {
+    stage("exception raised");
+  }
+</script>
diff --git a/dom/bindings/test/file_fullScreenPropertyAccessor.html b/dom/bindings/test/file_fullScreenPropertyAccessor.html
@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<div id="stage"></div>
+<script>
+  function stage(str) {
+    var s = document.getElementById("stage");
+    s.textContent = str;
+  }
+  stage("before");
+  setTimeout(function() {
+    stage("in timeout");
+  });
+  setInterval(function() {
+    stage("in interval");
+  });
+  addEventListener("keydown", function() {
+    stage("keydown");
+  }, false);
+  try {
+    window.fullScreen;
+    stage("after");
+  } catch(e) {
+    stage("exception raised");
+  }
+</script>