The Tor Browser: js/xpconnect/wrappers/XrayWrapper.cpp@129ffea94266 (annotated)

js/xpconnect/wrappers/XrayWrapper.cpp@129ffea94266 (annotated)

js/xpconnect/wrappers/XrayWrapper.cpp

Sat, 03 Jan 2015 20:18:00 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Sat, 03 Jan 2015 20:18:00 +0100
branch: TOR_BUG_3246
changeset 7: 129ffea94266
permissions: -rw-r--r--

Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /* vim: set ts=8 sts=4 et sw=4 tw=99: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "XrayWrapper.h"
 #include "AccessCheck.h"
 #include "WrapperFactory.h"
 #include "nsIContent.h"
 #include "nsIControllers.h"
 #include "nsContentUtils.h"
 #include "XPCWrapper.h"
 #include "xpcprivate.h"
 #include "jsapi.h"
 #include "jsprf.h"
 #include "nsJSUtils.h"
 #include "mozilla/dom/BindingUtils.h"
 #include "mozilla/dom/WindowBinding.h"
 #include "nsGlobalWindow.h"
 using namespace mozilla::dom;
 using namespace JS;
 using namespace mozilla;
 using js::Wrapper;
 using js::BaseProxyHandler;
 using js::IsCrossCompartmentWrapper;
 using js::UncheckedUnwrap;
 using js::CheckedUnwrap;
 namespace xpc {
 using namespace XrayUtils;
 // Whitelist for the standard ES classes we can Xray to.
 static bool
 IsJSXraySupported(JSProtoKey key)
 {
     switch (key) {
       case JSProto_Date:
         return true;
       default:
         return false;
     }
 }
 XrayType
 GetXrayType(JSObject *obj)
 {
     obj = js::UncheckedUnwrap(obj, /* stopAtOuter = */ false);
     if (mozilla::dom::UseDOMXray(obj))
         return XrayForDOMObject;
     const js::Class* clasp = js::GetObjectClass(obj);
     if (IS_WN_CLASS(clasp) || clasp->ext.innerObject)
         return XrayForWrappedNative;
     JSProtoKey standardProto = IdentifyStandardInstanceOrPrototype(obj);
     if (IsJSXraySupported(standardProto))
         return XrayForJSObject;
     return NotXray;
 }
 JSObject *
 XrayAwareCalleeGlobal(JSObject *fun)
 {
   MOZ_ASSERT(js::IsFunctionObject(fun));
   JSObject *scope = js::GetObjectParent(fun);
   if (IsXrayWrapper(scope))
     scope = js::UncheckedUnwrap(scope);
   return js::GetGlobalForObjectCrossCompartment(scope);
 }
 const uint32_t JSSLOT_RESOLVING = 0;
 ResolvingId::ResolvingId(JSContext *cx, HandleObject wrapper, HandleId id)
   : mId(id),
     mHolder(cx, getHolderObject(wrapper)),
     mPrev(getResolvingId(mHolder)),
     mXrayShadowing(false)
 {
     js::SetReservedSlot(mHolder, JSSLOT_RESOLVING, js::PrivateValue(this));
 }
 ResolvingId::~ResolvingId()
 {
     MOZ_ASSERT(getResolvingId(mHolder) == this, "unbalanced ResolvingIds");
     js::SetReservedSlot(mHolder, JSSLOT_RESOLVING, js::PrivateValue(mPrev));
 }
 bool
 ResolvingId::isXrayShadowing(jsid id)
 {
     if (!mXrayShadowing)
         return false;
     return mId == id;
 }
 bool
 ResolvingId::isResolving(jsid id)
 {
     for (ResolvingId *cur = this; cur; cur = cur->mPrev) {
         if (cur->mId == id)
             return true;
     }
     return false;
 }
 ResolvingId *
 ResolvingId::getResolvingId(JSObject *holder)
 {
     MOZ_ASSERT(strcmp(JS_GetClass(holder)->name, "NativePropertyHolder") == 0);
     return (ResolvingId *)js::GetReservedSlot(holder, JSSLOT_RESOLVING).toPrivate();
 }
 JSObject *
 ResolvingId::getHolderObject(JSObject *wrapper)
 {
     return &js::GetProxyExtra(wrapper, 0).toObject();
 }
 ResolvingId *
 ResolvingId::getResolvingIdFromWrapper(JSObject *wrapper)
 {
     return getResolvingId(getHolderObject(wrapper));
 }
 class MOZ_STACK_CLASS ResolvingIdDummy
 {
 public:
     ResolvingIdDummy(JSContext *cx, HandleObject wrapper, HandleId id)
     {
     }
 };
 class XrayTraits
 {
 public:
     static JSObject* getTargetObject(JSObject *wrapper) {
         return js::UncheckedUnwrap(wrapper, /* stopAtOuter = */ false);
     }
     virtual bool resolveNativeProperty(JSContext *cx, HandleObject wrapper,
                                        HandleObject holder, HandleId id,
                                        MutableHandle<JSPropertyDescriptor> desc) = 0;
     // NB: resolveOwnProperty may decide whether or not to cache what it finds
     // on the holder. If the result is not cached, the lookup will happen afresh
     // for each access, which is the right thing for things like dynamic NodeList
     // properties.
     virtual bool resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper,
                                     HandleObject wrapper, HandleObject holder,
                                     HandleId id, MutableHandle<JSPropertyDescriptor> desc);
     virtual void preserveWrapper(JSObject *target) = 0;
     static bool set(JSContext *cx, HandleObject wrapper, HandleObject receiver, HandleId id,
                     bool strict, MutableHandleValue vp);
     JSObject* getExpandoObject(JSContext *cx, HandleObject target,
                                HandleObject consumer);
     JSObject* ensureExpandoObject(JSContext *cx, HandleObject wrapper,
                                   HandleObject target);
     JSObject* getHolder(JSObject *wrapper);
     JSObject* ensureHolder(JSContext *cx, HandleObject wrapper);
     virtual JSObject* createHolder(JSContext *cx, JSObject *wrapper) = 0;
     JSObject* getExpandoChain(HandleObject obj) {
       return GetObjectScope(obj)->GetExpandoChain(obj);
     }
     bool setExpandoChain(JSContext *cx, HandleObject obj, HandleObject chain) {
       return GetObjectScope(obj)->SetExpandoChain(cx, obj, chain);
     }
     bool cloneExpandoChain(JSContext *cx, HandleObject dst, HandleObject src);
 private:
     bool expandoObjectMatchesConsumer(JSContext *cx, HandleObject expandoObject,
                                       nsIPrincipal *consumerOrigin,
                                       HandleObject exclusiveGlobal);
     JSObject* getExpandoObjectInternal(JSContext *cx, HandleObject target,
                                        nsIPrincipal *origin,
                                        JSObject *exclusiveGlobal);
     JSObject* attachExpandoObject(JSContext *cx, HandleObject target,
                                   nsIPrincipal *origin,
                                   HandleObject exclusiveGlobal);
 };
 class XPCWrappedNativeXrayTraits : public XrayTraits
 {
 public:
     enum {
         HasPrototype = 0
     };
     static const XrayType Type = XrayForWrappedNative;
     virtual bool resolveNativeProperty(JSContext *cx, HandleObject wrapper,
                                        HandleObject holder, HandleId id,
                                        MutableHandle<JSPropertyDescriptor> desc) MOZ_OVERRIDE;
     virtual bool resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper, HandleObject wrapper,
                                     HandleObject holder, HandleId id,
                                     MutableHandle<JSPropertyDescriptor> desc) MOZ_OVERRIDE;
     static bool defineProperty(JSContext *cx, HandleObject wrapper, HandleId id,
                                MutableHandle<JSPropertyDescriptor> desc,
                                Handle<JSPropertyDescriptor> existingDesc, bool *defined);
     virtual bool enumerateNames(JSContext *cx, HandleObject wrapper, unsigned flags,
                                 AutoIdVector &props);
     static bool call(JSContext *cx, HandleObject wrapper,
                      const JS::CallArgs &args, js::Wrapper& baseInstance);
     static bool construct(JSContext *cx, HandleObject wrapper,
                           const JS::CallArgs &args, js::Wrapper& baseInstance);
     static bool isResolving(JSContext *cx, JSObject *holder, jsid id);
     static bool resolveDOMCollectionProperty(JSContext *cx, HandleObject wrapper,
                                              HandleObject holder, HandleId id,
                                              MutableHandle<JSPropertyDescriptor> desc);
     static XPCWrappedNative* getWN(JSObject *wrapper) {
         return XPCWrappedNative::Get(getTargetObject(wrapper));
     }
     virtual void preserveWrapper(JSObject *target) MOZ_OVERRIDE;
     typedef ResolvingId ResolvingIdImpl;
     virtual JSObject* createHolder(JSContext *cx, JSObject *wrapper) MOZ_OVERRIDE;
     static const JSClass HolderClass;
     static XPCWrappedNativeXrayTraits singleton;
 };
 const JSClass XPCWrappedNativeXrayTraits::HolderClass = {
     "NativePropertyHolder", JSCLASS_HAS_RESERVED_SLOTS(2),
     JS_PropertyStub, JS_DeletePropertyStub, holder_get, holder_set,
     JS_EnumerateStub, JS_ResolveStub, JS_ConvertStub
 };
 class DOMXrayTraits : public XrayTraits
 {
 public:
     enum {
         HasPrototype = 0
     };
     static const XrayType Type = XrayForDOMObject;
     virtual bool resolveNativeProperty(JSContext *cx, HandleObject wrapper,
                                        HandleObject holder, HandleId id,
                                        MutableHandle<JSPropertyDescriptor> desc) MOZ_OVERRIDE;
     virtual bool resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper, HandleObject wrapper,
                                     HandleObject holder, HandleId id,
                                     MutableHandle<JSPropertyDescriptor> desc) MOZ_OVERRIDE;
     static bool defineProperty(JSContext *cx, HandleObject wrapper, HandleId id,
                                MutableHandle<JSPropertyDescriptor> desc,
                                Handle<JSPropertyDescriptor> existingDesc, bool *defined);
     static bool set(JSContext *cx, HandleObject wrapper, HandleObject receiver, HandleId id,
                     bool strict, MutableHandleValue vp);
     virtual bool enumerateNames(JSContext *cx, HandleObject wrapper, unsigned flags,
                                 AutoIdVector &props);
     static bool call(JSContext *cx, HandleObject wrapper,
                      const JS::CallArgs &args, js::Wrapper& baseInstance);
     static bool construct(JSContext *cx, HandleObject wrapper,
                           const JS::CallArgs &args, js::Wrapper& baseInstance);
     static bool isResolving(JSContext *cx, JSObject *holder, jsid id)
     {
         return false;
     }
     typedef ResolvingIdDummy ResolvingIdImpl;
     virtual void preserveWrapper(JSObject *target) MOZ_OVERRIDE;
     virtual JSObject* createHolder(JSContext *cx, JSObject *wrapper) MOZ_OVERRIDE;
     static DOMXrayTraits singleton;
 };
 class JSXrayTraits : public XrayTraits
 {
 public:
     enum {
         HasPrototype = 1
     };
     static const XrayType Type = XrayForJSObject;
     virtual bool resolveNativeProperty(JSContext *cx, HandleObject wrapper,
                                        HandleObject holder, HandleId id,
                                        MutableHandle<JSPropertyDescriptor> desc) MOZ_OVERRIDE
     {
         MOZ_ASSUME_UNREACHABLE("resolveNativeProperty hook should never be called with HasPrototype = 1");
     }
     virtual bool resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper, HandleObject wrapper,
                                     HandleObject holder, HandleId id,
                                     MutableHandle<JSPropertyDescriptor> desc) MOZ_OVERRIDE;
     static bool defineProperty(JSContext *cx, HandleObject wrapper, HandleId id,
                                MutableHandle<JSPropertyDescriptor> desc,
                                Handle<JSPropertyDescriptor> existingDesc, bool *defined)
     {
         // There's no useful per-trait work to do here. Punt back up to the common code.
         *defined = false;
         return true;
     }
     virtual bool enumerateNames(JSContext *cx, HandleObject wrapper, unsigned flags,
                                 AutoIdVector &props);
     static bool call(JSContext *cx, HandleObject wrapper,
                      const JS::CallArgs &args, js::Wrapper& baseInstance)
     {
         // We'll handle this when we start supporting Functions.
         RootedValue v(cx, ObjectValue(*wrapper));
         js_ReportIsNotFunction(cx, v);
         return false;
     }
     static bool construct(JSContext *cx, HandleObject wrapper,
                           const JS::CallArgs &args, js::Wrapper& baseInstance)
     {
         // We'll handle this when we start supporting Functions.
         RootedValue v(cx, ObjectValue(*wrapper));
         js_ReportIsNotFunction(cx, v);
         return false;
     }
     static bool isResolving(JSContext *cx, JSObject *holder, jsid id)
     {
         return false;
     }
     typedef ResolvingIdDummy ResolvingIdImpl;
     bool getPrototypeOf(JSContext *cx, JS::HandleObject wrapper,
                                JS::HandleObject target,
                                JS::MutableHandleObject protop)
     {
         RootedObject holder(cx, ensureHolder(cx, wrapper));
         JSProtoKey key = isPrototype(holder) ? JSProto_Object
                                              : getProtoKey(holder);
         {
             JSAutoCompartment ac(cx, target);
             if (!JS_GetClassPrototype(cx, key, protop))
                 return nullptr;
         }
         return JS_WrapObject(cx, protop);
     }
     virtual void preserveWrapper(JSObject *target) MOZ_OVERRIDE {
         // In the case of pure JS objects, there is no underlying object, and
         // the target is the canonical representation of state. If it gets
         // collected, then expandos and such should be collected too. So there's
         // nothing to do here.
     }
     enum {
         SLOT_PROTOKEY = 0,
         SLOT_ISPROTOTYPE,
         SLOT_COUNT
     };
     virtual JSObject* createHolder(JSContext *cx, JSObject *wrapper) MOZ_OVERRIDE;
     static JSProtoKey getProtoKey(JSObject *holder) {
         int32_t key = js::GetReservedSlot(holder, SLOT_PROTOKEY).toInt32();
         return static_cast<JSProtoKey>(key);
     }
     static bool isPrototype(JSObject *holder) {
         return js::GetReservedSlot(holder, SLOT_ISPROTOTYPE).toBoolean();
     }
     static const JSClass HolderClass;
     static JSXrayTraits singleton;
 };
 const JSClass JSXrayTraits::HolderClass = {
     "JSXrayHolder", JSCLASS_HAS_RESERVED_SLOTS(SLOT_COUNT),
     JS_PropertyStub, JS_DeletePropertyStub,
     JS_PropertyStub, JS_StrictPropertyStub,
     JS_EnumerateStub, JS_ResolveStub, JS_ConvertStub
 };
 bool
 JSXrayTraits::resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper,
                                  HandleObject wrapper, HandleObject holder,
                                  HandleId id,
                                  MutableHandle<JSPropertyDescriptor> desc)
 {
     // Call the common code.
     bool ok = XrayTraits::resolveOwnProperty(cx, jsWrapper, wrapper, holder,
                                              id, desc);
     if (!ok || desc.object())
         return ok;
     // Non-prototypes don't have anything on them yet.
     if (!isPrototype(holder))
         return true;
     // The non-HasPrototypes semantics implemented by traditional Xrays are kind
     // of broken with respect to |own|-ness and the holder. The common code
     // muddles through by only checking the holder for non-|own| lookups, but
     // that doesn't work for us. So we do an explicit holder check here, and hope
     // that this mess gets fixed up soon.
     if (!JS_GetPropertyDescriptorById(cx, holder, id, desc))
         return false;
     if (desc.object()) {
         desc.object().set(wrapper);
         return true;
     }
     // Grab the JSClass. We require all Xrayable classes to have a ClassSpec.
     RootedObject target(cx, getTargetObject(wrapper));
     const js::Class *clasp = js::GetObjectClass(target);
     JSProtoKey protoKey = JSCLASS_CACHED_PROTO_KEY(clasp);
     MOZ_ASSERT(protoKey == getProtoKey(holder));
     MOZ_ASSERT(clasp->spec.defined());
     // Handle the 'constructor' property.
     if (id == GetRTIdByIndex(cx, XPCJSRuntime::IDX_CONSTRUCTOR)) {
         RootedObject constructor(cx);
         {
             JSAutoCompartment ac(cx, target);
             if (!JS_GetClassObject(cx, protoKey, &constructor))
                 return false;
         }
         if (!JS_WrapObject(cx, &constructor))
             return false;
         desc.object().set(wrapper);
         desc.setAttributes(0);
         desc.setGetter(nullptr);
         desc.setSetter(nullptr);
         desc.value().setObject(*constructor);
         return true;
     }
     // Find the properties available, if any.
     const JSFunctionSpec *fs = clasp->spec.prototypeFunctions;
     if (!fs)
         return true;
     // Compute the property name we're looking for. We'll handle indexed
     // properties when we start supporting arrays.
     if (!JSID_IS_STRING(id))
         return true;
     Rooted<JSFlatString*> str(cx, JSID_TO_FLAT_STRING(id));
     // Scan through the properties. If we don't find anything, we're done.
     for (; fs->name; ++fs) {
         // We don't support self-hosted functions yet. See bug 972987.
         if (fs->selfHostedName)
             continue;
         if (JS_FlatStringEqualsAscii(str, fs->name))
             break;
     }
     if (!fs->name)
         return true;
     // Generate an Xrayed version of the method.
     Rooted<JSFunction*> fun(cx, JS_NewFunctionById(cx, fs->call.op, fs->nargs,
 , wrapper, id));
     if (!fun)
         return false;
     // The generic Xray machinery only defines non-own properties on the holder.
     // This is broken, and will be fixed at some point, but for now we need to
     // cache the value explicitly. See the corresponding call to
     // JS_GetPropertyById at the top of this function.
     return JS_DefinePropertyById(cx, holder, id,
                                  ObjectValue(*JS_GetFunctionObject(fun)),
                                  nullptr, nullptr, 0) &&
            JS_GetPropertyDescriptorById(cx, holder, id, desc);
 }
 bool
 JSXrayTraits::enumerateNames(JSContext *cx, HandleObject wrapper, unsigned flags,
                              AutoIdVector &props)
 {
     RootedObject holder(cx, ensureHolder(cx, wrapper));
     if (!holder)
         return false;
     // Non-prototypes don't have anything on them yet.
     if (!isPrototype(holder))
         return true;
     // Grab the JSClass. We require all Xrayable classes to have a ClassSpec.
     RootedObject target(cx, getTargetObject(wrapper));
     const js::Class *clasp = js::GetObjectClass(target);
     MOZ_ASSERT(JSCLASS_CACHED_PROTO_KEY(clasp) == getProtoKey(holder));
     MOZ_ASSERT(clasp->spec.defined());
     // Find the properties available, if any.
     const JSFunctionSpec *fs = clasp->spec.prototypeFunctions;
     if (!fs)
         return true;
     // Intern all the strings, and pass theme to the caller.
     for (; fs->name; ++fs) {
         // We don't support self-hosted functions yet. See bug 972987.
         if (fs->selfHostedName)
             continue;
         RootedString str(cx, JS_InternString(cx, fs->name));
         if (!str)
             return false;
         if (!props.append(INTERNED_STRING_TO_JSID(cx, str)))
             return false;
     }
     // Add the 'constructor' property.
     return props.append(GetRTIdByIndex(cx, XPCJSRuntime::IDX_CONSTRUCTOR));
 }
 JSObject*
 JSXrayTraits::createHolder(JSContext *cx, JSObject *wrapper)
 {
     RootedObject global(cx, JS_GetGlobalForObject(cx, wrapper));
     RootedObject target(cx, getTargetObject(wrapper));
     RootedObject holder(cx, JS_NewObjectWithGivenProto(cx, &HolderClass,
                                                        JS::NullPtr(), global));
     if (!holder)
         return nullptr;
     // Compute information about the target.
     bool isPrototype = false;
     JSProtoKey key = IdentifyStandardInstance(target);
     if (key == JSProto_Null) {
         isPrototype = true;
         key = IdentifyStandardPrototype(target);
     }
     MOZ_ASSERT(key != JSProto_Null);
     // Store it on the holder.
     RootedValue v(cx);
     v.setNumber(static_cast<uint32_t>(key));
     js::SetReservedSlot(holder, SLOT_PROTOKEY, v);
     v.setBoolean(isPrototype);
     js::SetReservedSlot(holder, SLOT_ISPROTOTYPE, v);
     return holder;
 }
 XPCWrappedNativeXrayTraits XPCWrappedNativeXrayTraits::singleton;
 DOMXrayTraits DOMXrayTraits::singleton;
 JSXrayTraits JSXrayTraits::singleton;
 XrayTraits*
 GetXrayTraits(JSObject *obj)
 {
     switch (GetXrayType(obj)) {
       case XrayForDOMObject:
         return &DOMXrayTraits::singleton;
       case XrayForWrappedNative:
         return &XPCWrappedNativeXrayTraits::singleton;
       case XrayForJSObject:
         return &JSXrayTraits::singleton;
       default:
         return nullptr;
     }
 }
 /*
  * Xray expando handling.
  *
  * We hang expandos for Xray wrappers off a reserved slot on the target object
  * so that same-origin compartments can share expandos for a given object. We
  * have a linked list of expando objects, one per origin. The properties on these
  * objects are generally wrappers pointing back to the compartment that applied
  * them.
  *
  * The expando objects should _never_ be exposed to script. The fact that they
  * live in the target compartment is a detail of the implementation, and does
  * not imply that code in the target compartment should be allowed to inspect
  * them. They are private to the origin that placed them.
  */
 enum ExpandoSlots {
     JSSLOT_EXPANDO_NEXT = 0,
     JSSLOT_EXPANDO_ORIGIN,
     JSSLOT_EXPANDO_EXCLUSIVE_GLOBAL,
     JSSLOT_EXPANDO_PROTOTYPE,
     JSSLOT_EXPANDO_COUNT
 };
 static nsIPrincipal*
 ObjectPrincipal(JSObject *obj)
 {
     return GetCompartmentPrincipal(js::GetObjectCompartment(obj));
 }
 static nsIPrincipal*
 GetExpandoObjectPrincipal(JSObject *expandoObject)
 {
     Value v = JS_GetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN);
     return static_cast<nsIPrincipal*>(v.toPrivate());
 }
 static void
 ExpandoObjectFinalize(JSFreeOp *fop, JSObject *obj)
 {
     // Release the principal.
     nsIPrincipal *principal = GetExpandoObjectPrincipal(obj);
     NS_RELEASE(principal);
 }
 const JSClass ExpandoObjectClass = {
     "XrayExpandoObject",
     JSCLASS_HAS_RESERVED_SLOTS(JSSLOT_EXPANDO_COUNT),
     JS_PropertyStub, JS_DeletePropertyStub, JS_PropertyStub, JS_StrictPropertyStub,
     JS_EnumerateStub, JS_ResolveStub, JS_ConvertStub, ExpandoObjectFinalize
 };
 bool
 XrayTraits::expandoObjectMatchesConsumer(JSContext *cx,
                                          HandleObject expandoObject,
                                          nsIPrincipal *consumerOrigin,
                                          HandleObject exclusiveGlobal)
 {
     MOZ_ASSERT(js::IsObjectInContextCompartment(expandoObject, cx));
     // First, compare the principals.
     nsIPrincipal *o = GetExpandoObjectPrincipal(expandoObject);
     // Note that it's very important here to ignore document.domain. We
     // pull the principal for the expando object off of the first consumer
     // for a given origin, and freely share the expandos amongst multiple
     // same-origin consumers afterwards. However, this means that we have
     // no way to know whether _all_ consumers have opted in to collaboration
     // by explicitly setting document.domain. So we just mandate that expando
     // sharing is unaffected by it.
     if (!consumerOrigin->Equals(o))
       return false;
     // Sandboxes want exclusive expando objects.
     JSObject *owner = JS_GetReservedSlot(expandoObject,
                                          JSSLOT_EXPANDO_EXCLUSIVE_GLOBAL)
                                         .toObjectOrNull();
     if (!owner && !exclusiveGlobal)
         return true;
     // The exclusive global should always be wrapped in the target's compartment.
     MOZ_ASSERT(!exclusiveGlobal || js::IsObjectInContextCompartment(exclusiveGlobal, cx));
     MOZ_ASSERT(!owner || js::IsObjectInContextCompartment(owner, cx));
     return owner == exclusiveGlobal;
 }
 JSObject *
 XrayTraits::getExpandoObjectInternal(JSContext *cx, HandleObject target,
                                      nsIPrincipal *origin,
                                      JSObject *exclusiveGlobalArg)
 {
     // The expando object lives in the compartment of the target, so all our
     // work needs to happen there.
     RootedObject exclusiveGlobal(cx, exclusiveGlobalArg);
     JSAutoCompartment ac(cx, target);
     if (!JS_WrapObject(cx, &exclusiveGlobal))
         return nullptr;
     // Iterate through the chain, looking for a same-origin object.
     RootedObject head(cx, getExpandoChain(target));
     while (head) {
         if (expandoObjectMatchesConsumer(cx, head, origin, exclusiveGlobal))
             return head;
         head = JS_GetReservedSlot(head, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
     }
     // Not found.
     return nullptr;
 }
 JSObject *
 XrayTraits::getExpandoObject(JSContext *cx, HandleObject target, HandleObject consumer)
 {
     JSObject *consumerGlobal = js::GetGlobalForObjectCrossCompartment(consumer);
     bool isSandbox = !strcmp(js::GetObjectJSClass(consumerGlobal)->name, "Sandbox");
     return getExpandoObjectInternal(cx, target, ObjectPrincipal(consumer),
                                     isSandbox ? consumerGlobal : nullptr);
 }
 JSObject *
 XrayTraits::attachExpandoObject(JSContext *cx, HandleObject target,
                                 nsIPrincipal *origin, HandleObject exclusiveGlobal)
 {
     // Make sure the compartments are sane.
     MOZ_ASSERT(js::IsObjectInContextCompartment(target, cx));
     MOZ_ASSERT(!exclusiveGlobal || js::IsObjectInContextCompartment(exclusiveGlobal, cx));
     // No duplicates allowed.
     MOZ_ASSERT(!getExpandoObjectInternal(cx, target, origin, exclusiveGlobal));
     // Create the expando object. We parent it directly to the target object.
     RootedObject expandoObject(cx, JS_NewObjectWithGivenProto(cx, &ExpandoObjectClass,
                                                               JS::NullPtr(), target));
     if (!expandoObject)
         return nullptr;
     // AddRef and store the principal.
     NS_ADDREF(origin);
     JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_ORIGIN, PRIVATE_TO_JSVAL(origin));
     // Note the exclusive global, if any.
     JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_EXCLUSIVE_GLOBAL,
                        OBJECT_TO_JSVAL(exclusiveGlobal));
     // If this is our first expando object, take the opportunity to preserve
     // the wrapper. This keeps our expandos alive even if the Xray wrapper gets
     // collected.
     RootedObject chain(cx, getExpandoChain(target));
     if (!chain)
         preserveWrapper(target);
     // Insert it at the front of the chain.
     JS_SetReservedSlot(expandoObject, JSSLOT_EXPANDO_NEXT, OBJECT_TO_JSVAL(chain));
     setExpandoChain(cx, target, expandoObject);
     return expandoObject;
 }
 JSObject *
 XrayTraits::ensureExpandoObject(JSContext *cx, HandleObject wrapper,
                                 HandleObject target)
 {
     // Expando objects live in the target compartment.
     JSAutoCompartment ac(cx, target);
     JSObject *expandoObject = getExpandoObject(cx, target, wrapper);
     if (!expandoObject) {
         // If the object is a sandbox, we don't want it to share expandos with
         // anyone else, so we tag it with the sandbox global.
         //
         // NB: We first need to check the class, _then_ wrap for the target's
         // compartment.
         RootedObject consumerGlobal(cx, js::GetGlobalForObjectCrossCompartment(wrapper));
         bool isSandbox = !strcmp(js::GetObjectJSClass(consumerGlobal)->name, "Sandbox");
         if (!JS_WrapObject(cx, &consumerGlobal))
             return nullptr;
         expandoObject = attachExpandoObject(cx, target, ObjectPrincipal(wrapper),
                                             isSandbox ? (HandleObject)consumerGlobal : NullPtr());
     }
     return expandoObject;
 }
 bool
 XrayTraits::cloneExpandoChain(JSContext *cx, HandleObject dst, HandleObject src)
 {
     MOZ_ASSERT(js::IsObjectInContextCompartment(dst, cx));
     MOZ_ASSERT(getExpandoChain(dst) == nullptr);
     RootedObject oldHead(cx, getExpandoChain(src));
     while (oldHead) {
         RootedObject exclusive(cx, JS_GetReservedSlot(oldHead,
                                                       JSSLOT_EXPANDO_EXCLUSIVE_GLOBAL)
                                                      .toObjectOrNull());
         if (!JS_WrapObject(cx, &exclusive))
             return false;
         RootedObject newHead(cx, attachExpandoObject(cx, dst, GetExpandoObjectPrincipal(oldHead),
                                                      exclusive));
         if (!JS_CopyPropertiesFrom(cx, newHead, oldHead))
             return false;
         oldHead = JS_GetReservedSlot(oldHead, JSSLOT_EXPANDO_NEXT).toObjectOrNull();
     }
     return true;
 }
 namespace XrayUtils {
 bool CloneExpandoChain(JSContext *cx, JSObject *dstArg, JSObject *srcArg)
 {
     RootedObject dst(cx, dstArg);
     RootedObject src(cx, srcArg);
     return GetXrayTraits(src)->cloneExpandoChain(cx, dst, src);
 }
 }
 static JSObject *
 GetHolder(JSObject *obj)
 {
     return &js::GetProxyExtra(obj, 0).toObject();
 }
 JSObject*
 XrayTraits::getHolder(JSObject *wrapper)
 {
     MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
     js::Value v = js::GetProxyExtra(wrapper, 0);
     return v.isObject() ? &v.toObject() : nullptr;
 }
 JSObject*
 XrayTraits::ensureHolder(JSContext *cx, HandleObject wrapper)
 {
     RootedObject holder(cx, getHolder(wrapper));
     if (holder)
         return holder;
     holder = createHolder(cx, wrapper); // virtual trap.
     if (holder)
         js::SetProxyExtra(wrapper, 0, ObjectValue(*holder));
     return holder;
 }
 bool
 XPCWrappedNativeXrayTraits::isResolving(JSContext *cx, JSObject *holder,
                                         jsid id)
 {
     ResolvingId *cur = ResolvingId::getResolvingId(holder);
     if (!cur)
         return false;
     return cur->isResolving(id);
 }
 namespace XrayUtils {
 bool
 IsXPCWNHolderClass(const JSClass *clasp)
 {
   return clasp == &XPCWrappedNativeXrayTraits::HolderClass;
 }
 }
 // Some DOM objects have shared properties that don't have an explicit
 // getter/setter and rely on the class getter/setter. We install a
 // class getter/setter on the holder object to trigger them.
 bool
 holder_get(JSContext *cx, HandleObject wrapper, HandleId id, MutableHandleValue vp)
 {
     // JSClass::getProperty is wacky enough that it's hard to be sure someone
     // can't inherit this getter by prototyping a random object to an
     // XrayWrapper. Be safe.
     NS_ENSURE_TRUE(WrapperFactory::IsXrayWrapper(wrapper), true);
     JSObject *holder = GetHolder(wrapper);
     XPCWrappedNative *wn = XPCWrappedNativeXrayTraits::getWN(wrapper);
     if (NATIVE_HAS_FLAG(wn, WantGetProperty)) {
         JSAutoCompartment ac(cx, holder);
         bool retval = true;
         nsresult rv = wn->GetScriptableCallback()->GetProperty(wn, cx, wrapper,
                                                                id, vp.address(), &retval);
         if (NS_FAILED(rv) || !retval) {
             if (retval)
                 XPCThrower::Throw(rv, cx);
             return false;
         }
     }
     return true;
 }
 bool
 holder_set(JSContext *cx, HandleObject wrapper, HandleId id, bool strict, MutableHandleValue vp)
 {
     // JSClass::setProperty is wacky enough that it's hard to be sure someone
     // can't inherit this getter by prototyping a random object to an
     // XrayWrapper. Be safe.
     NS_ENSURE_TRUE(WrapperFactory::IsXrayWrapper(wrapper), true);
     JSObject *holder = GetHolder(wrapper);
     if (XPCWrappedNativeXrayTraits::isResolving(cx, holder, id)) {
         return true;
     }
     XPCWrappedNative *wn = XPCWrappedNativeXrayTraits::getWN(wrapper);
     if (NATIVE_HAS_FLAG(wn, WantSetProperty)) {
         JSAutoCompartment ac(cx, holder);
         bool retval = true;
         nsresult rv = wn->GetScriptableCallback()->SetProperty(wn, cx, wrapper,
                                                                id, vp.address(), &retval);
         if (NS_FAILED(rv) || !retval) {
             if (retval)
                 XPCThrower::Throw(rv, cx);
             return false;
         }
     }
     return true;
 }
 class AutoSetWrapperNotShadowing
 {
 public:
     AutoSetWrapperNotShadowing(ResolvingId *resolvingId MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
     {
         MOZ_GUARD_OBJECT_NOTIFIER_INIT;
         MOZ_ASSERT(resolvingId);
         mResolvingId = resolvingId;
         mResolvingId->mXrayShadowing = true;
     }
     ~AutoSetWrapperNotShadowing()
     {
         mResolvingId->mXrayShadowing = false;
     }
 private:
     MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
     ResolvingId *mResolvingId;
 };
 // This is called after the resolveNativeProperty could not find any property
 // with the given id. At this point we can check for DOM specific collections
 // like document["formName"] because we already know that it is not shadowing
 // any native property.
 bool
 XPCWrappedNativeXrayTraits::resolveDOMCollectionProperty(JSContext *cx, HandleObject wrapper,
                                                          HandleObject holder, HandleId id,
                                                          MutableHandle<JSPropertyDescriptor> desc)
 {
     // If we are not currently resolving this id and resolveNative is called
     // we don't do anything. (see defineProperty in case of shadowing is forbidden).
     ResolvingId *rid = ResolvingId::getResolvingId(holder);
     if (!rid || rid->mId != id)
         return true;
     XPCWrappedNative *wn = getWN(wrapper);
     if (!wn) {
         // This should NEVER happen, but let's be extra careful here
         // because of the reported crashes (Bug 832091).
         XPCThrower::Throw(NS_ERROR_UNEXPECTED, cx);
         return false;
     }
     if (!NATIVE_HAS_FLAG(wn, WantNewResolve))
         return true;
     ResolvingId *resolvingId = ResolvingId::getResolvingIdFromWrapper(wrapper);
     if (!resolvingId) {
         // This should NEVER happen, but let's be extra careful here
         // becaue of the reported crashes (Bug 832091).
         XPCThrower::Throw(NS_ERROR_UNEXPECTED, cx);
         return false;
     }
     // Setting the current ResolvingId in non-shadowing mode. So for this id
     // Xray won't ignore DOM specific collection properties temporarily.
     AutoSetWrapperNotShadowing asw(resolvingId);
     bool retval = true;
     RootedObject pobj(cx);
     nsresult rv = wn->GetScriptableInfo()->GetCallback()->NewResolve(wn, cx, wrapper, id,
                                                                      pobj.address(), &retval);
     if (NS_FAILED(rv)) {
         if (retval)
             XPCThrower::Throw(rv, cx);
         return false;
     }
     if (pobj && !JS_GetPropertyDescriptorById(cx, holder, id, desc))
         return false;
     return true;
 }
 static nsGlobalWindow*
 AsWindow(JSContext *cx, JSObject *wrapper)
 {
   nsGlobalWindow* win;
   // We want to use our target object here, since we don't want to be
   // doing a security check while unwrapping.
   JSObject* target = XrayTraits::getTargetObject(wrapper);
   nsresult rv = UNWRAP_OBJECT(Window, target, win);
   if (NS_SUCCEEDED(rv))
       return win;
   nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(
       nsContentUtils::XPConnect()->GetNativeOfWrapper(cx, target));
   return static_cast<nsGlobalWindow*>(piWin.get());
 }
 static bool
 IsWindow(JSContext *cx, JSObject *wrapper)
 {
     return !!AsWindow(cx, wrapper);
 }
 static nsQueryInterface
 do_QueryInterfaceNative(JSContext* cx, HandleObject wrapper);
 void
 XPCWrappedNativeXrayTraits::preserveWrapper(JSObject *target)
 {
     XPCWrappedNative *wn = XPCWrappedNative::Get(target);
     nsRefPtr<nsXPCClassInfo> ci;
     CallQueryInterface(wn->Native(), getter_AddRefs(ci));
     if (ci)
         ci->PreserveWrapper(wn->Native());
 }
 bool
 XPCWrappedNativeXrayTraits::resolveNativeProperty(JSContext *cx, HandleObject wrapper,
                                                   HandleObject holder, HandleId id,
                                                   MutableHandle<JSPropertyDescriptor> desc)
 {
     MOZ_ASSERT(js::GetObjectJSClass(holder) == &HolderClass);
     desc.object().set(nullptr);
     // This will do verification and the method lookup for us.
     RootedObject target(cx, getTargetObject(wrapper));
     XPCCallContext ccx(JS_CALLER, cx, target, NullPtr(), id);
     // There are no native numeric properties, so we can shortcut here. We will
     // not find the property. However we want to support non shadowing dom
     // specific collection properties like window.frames, so we still have to
     // check for those.
     if (!JSID_IS_STRING(id)) {
         /* Not found */
         return resolveDOMCollectionProperty(cx, wrapper, holder, id, desc);
     }
     // The |controllers| property is accessible as a [ChromeOnly] property on
     // Window.WebIDL, and [noscript] in XPIDL. Chrome needs to see this over
     // Xray, so we need to special-case it until we move |Window| to WebIDL.
     nsGlobalWindow *win = nullptr;
     if (id == GetRTIdByIndex(cx, XPCJSRuntime::IDX_CONTROLLERS) &&
         AccessCheck::isChrome(wrapper) &&
         (win = AsWindow(cx, wrapper)))
     {
         nsCOMPtr<nsIControllers> c;
         nsresult rv = win->GetControllers(getter_AddRefs(c));
         if (NS_SUCCEEDED(rv) && c) {
             rv = nsXPConnect::XPConnect()->WrapNativeToJSVal(cx, CurrentGlobalOrNull(cx),
                                                              c, nullptr, nullptr, true,
                                                              desc.value());
         }
         if (NS_FAILED(rv) || !c) {
             JS_ReportError(cx, "Failed to invoke GetControllers via Xrays");
             return false;
         }
         desc.object().set(wrapper);
         return true;
     }
     XPCNativeInterface *iface;
     XPCNativeMember *member;
     XPCWrappedNative *wn = getWN(wrapper);
     if (ccx.GetWrapper() != wn || !wn->IsValid()) {
         // Something is wrong. If the wrapper is not even valid let's not risk
         // calling resolveDOMCollectionProperty.
         return true;
     } else if (!(iface = ccx.GetInterface()) ||
                !(member = ccx.GetMember())) {
         /* Not found */
         return resolveDOMCollectionProperty(cx, wrapper, holder, id, desc);
     }
     desc.object().set(holder);
     desc.setAttributes(JSPROP_ENUMERATE);
     desc.setGetter(nullptr);
     desc.setSetter(nullptr);
     desc.value().set(JSVAL_VOID);
     RootedValue fval(cx, JSVAL_VOID);
     if (member->IsConstant()) {
         if (!member->GetConstantValue(ccx, iface, desc.value().address())) {
             JS_ReportError(cx, "Failed to convert constant native property to JS value");
             return false;
         }
     } else if (member->IsAttribute()) {
         // This is a getter/setter. Clone a function for it.
         if (!member->NewFunctionObject(ccx, iface, wrapper, fval.address())) {
             JS_ReportError(cx, "Failed to clone function object for native getter/setter");
             return false;
         }
         unsigned attrs = desc.attributes();
         attrs |= JSPROP_GETTER;
         if (member->IsWritableAttribute())
             attrs |= JSPROP_SETTER;
         // Make the property shared on the holder so no slot is allocated
         // for it. This avoids keeping garbage alive through that slot.
         attrs |= JSPROP_SHARED;
         desc.setAttributes(attrs);
     } else {
         // This is a method. Clone a function for it.
         if (!member->NewFunctionObject(ccx, iface, wrapper, desc.value().address())) {
             JS_ReportError(cx, "Failed to clone function object for native function");
             return false;
         }
         // Without a wrapper the function would live on the prototype. Since we
         // don't have one, we have to avoid calling the scriptable helper's
         // GetProperty method for this property, so stub out the getter and
         // setter here explicitly.
         desc.setGetter(JS_PropertyStub);
         desc.setSetter(JS_StrictPropertyStub);
     }
     if (!JS_WrapValue(cx, desc.value()) || !JS_WrapValue(cx, &fval))
         return false;
     if (desc.hasGetterObject())
         desc.setGetterObject(&fval.toObject());
     if (desc.hasSetterObject())
         desc.setSetterObject(&fval.toObject());
     // Define the property.
     return JS_DefinePropertyById(cx, holder, id, desc.value(),
                                  desc.getter(), desc.setter(), desc.attributes());
 }
 static bool
 wrappedJSObject_getter(JSContext *cx, HandleObject wrapper, HandleId id, MutableHandleValue vp)
 {
     if (!IsWrapper(wrapper) || !WrapperFactory::IsXrayWrapper(wrapper)) {
         JS_ReportError(cx, "Unexpected object");
         return false;
     }
     vp.set(OBJECT_TO_JSVAL(wrapper));
     return WrapperFactory::WaiveXrayAndWrap(cx, vp);
 }
 bool
 XrayTraits::resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper,
                                HandleObject wrapper, HandleObject holder, HandleId id,
                                MutableHandle<JSPropertyDescriptor> desc)
 {
     desc.object().set(nullptr);
     RootedObject target(cx, getTargetObject(wrapper));
     RootedObject expando(cx, getExpandoObject(cx, target, wrapper));
     // Check for expando properties first. Note that the expando object lives
     // in the target compartment.
     bool found = false;
     if (expando) {
         JSAutoCompartment ac(cx, expando);
         if (!JS_GetPropertyDescriptorById(cx, expando, id, desc))
             return false;
         found = !!desc.object();
     }
     // Next, check for ES builtins.
     if (!found && JS_IsGlobalObject(target)) {
         JSProtoKey key = JS_IdToProtoKey(cx, id);
         JSAutoCompartment ac(cx, target);
         if (key != JSProto_Null) {
             MOZ_ASSERT(key < JSProto_LIMIT);
             RootedObject constructor(cx);
             if (!JS_GetClassObject(cx, key, &constructor))
                 return false;
             MOZ_ASSERT(constructor);
             desc.value().set(ObjectValue(*constructor));
             found = true;
         } else if (id == GetRTIdByIndex(cx, XPCJSRuntime::IDX_EVAL)) {
             RootedObject eval(cx);
             if (!js::GetOriginalEval(cx, target, &eval))
                 return false;
             desc.value().set(ObjectValue(*eval));
             found = true;
         }
     }
     if (found) {
         if (!JS_WrapPropertyDescriptor(cx, desc))
             return false;
         // Pretend the property lives on the wrapper.
         desc.object().set(wrapper);
         return true;
     }
     // Handle .wrappedJSObject for subsuming callers. This should move once we
     // sort out own-ness for the holder.
     if (id == GetRTIdByIndex(cx, XPCJSRuntime::IDX_WRAPPED_JSOBJECT) &&
         AccessCheck::wrapperSubsumes(wrapper))
     {
         if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found))
             return false;
         if (!found && !JS_DefinePropertyById(cx, holder, id, UndefinedValue(),
                                              wrappedJSObject_getter, nullptr,
                                              JSPROP_ENUMERATE | JSPROP_SHARED)) {
             return false;
         }
         if (!JS_GetPropertyDescriptorById(cx, holder, id, desc))
             return false;
         desc.object().set(wrapper);
         return true;
     }
     return true;
 }
 bool
 XrayTraits::set(JSContext *cx, HandleObject wrapper, HandleObject receiver, HandleId id,
                 bool strict, MutableHandleValue vp)
 {
     // Skip our Base if it isn't already BaseProxyHandler.
     js::BaseProxyHandler *handler = js::GetProxyHandler(wrapper);
     return handler->js::BaseProxyHandler::set(cx, wrapper, receiver, id, strict, vp);
 }
 bool
 XPCWrappedNativeXrayTraits::resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper,
                                                HandleObject wrapper, HandleObject holder,
                                                HandleId id,
                                                MutableHandle<JSPropertyDescriptor> desc)
 {
     // Call the common code.
     bool ok = XrayTraits::resolveOwnProperty(cx, jsWrapper, wrapper, holder,
                                              id, desc);
     if (!ok || desc.object())
         return ok;
     // Check for indexed access on a window.
     int32_t index = GetArrayIndexFromId(cx, id);
     if (IsArrayIndex(index)) {
         nsGlobalWindow* win = AsWindow(cx, wrapper);
         // Note: As() unwraps outer windows to get to the inner window.
         if (win) {
             bool unused;
             nsCOMPtr<nsIDOMWindow> subframe = win->IndexedGetter(index, unused);
             if (subframe) {
                 nsGlobalWindow* global = static_cast<nsGlobalWindow*>(subframe.get());
                 global->EnsureInnerWindow();
                 JSObject* obj = global->FastGetGlobalJSObject();
                 if (MOZ_UNLIKELY(!obj)) {
                     // It's gone?
                     return xpc::Throw(cx, NS_ERROR_FAILURE);
                 }
                 desc.value().setObject(*obj);
                 FillPropertyDescriptor(desc, wrapper, true);
                 return JS_WrapPropertyDescriptor(cx, desc);
             }
         }
     }
     // Xray wrappers don't use the regular wrapper hierarchy, so we should be
     // in the wrapper's compartment here, not the wrappee.
     MOZ_ASSERT(js::IsObjectInContextCompartment(wrapper, cx));
     bool hasProp;
     if (!JS_HasPropertyById(cx, holder, id, &hasProp)) {
         return false;
     }
     if (!hasProp) {
         XPCWrappedNative *wn = getWN(wrapper);
         // Run the resolve hook of the wrapped native.
         if (!NATIVE_HAS_FLAG(wn, WantNewResolve)) {
             return true;
         }
         bool retval = true;
         RootedObject pobj(cx);
         nsIXPCScriptable *callback = wn->GetScriptableInfo()->GetCallback();
         nsresult rv = callback->NewResolve(wn, cx, wrapper, id, pobj.address(),
                                            &retval);
         if (NS_FAILED(rv)) {
             if (retval)
                 XPCThrower::Throw(rv, cx);
             return false;
         }
         MOZ_ASSERT(!pobj || (JS_HasPropertyById(cx, holder, id, &hasProp) &&
                              hasProp), "id got defined somewhere else?");
     }
     // resolveOwnProperty must return a non-empty |desc| if and only if an |own|
     // property was found on the object. However, given how the NewResolve setup
     // works, we can't run the resolve hook if the holder already has a property
     // of the same name. So if there was a pre-existing property on the holder,
     // we have to use it. But we have no way of knowing if it corresponded to an
     // |own| or non-|own| property, since both get cached on the holder and the
     // |own|-ness information is lost.
     //
     // So we just over-zealously call things |own| here. This can cause us to
     // return non-|own| properties from Object.getOwnPropertyDescriptor if
     // lookups are performed in a certain order, but we can probably live with
     // that until XPCWN Xrays go away with the new DOM bindings.
     return JS_GetPropertyDescriptorById(cx, holder, id, desc);
 }
 bool
 XPCWrappedNativeXrayTraits::defineProperty(JSContext *cx, HandleObject wrapper, HandleId id,
                                            MutableHandle<JSPropertyDescriptor> desc,
                                            Handle<JSPropertyDescriptor> existingDesc, bool *defined)
 {
     *defined = false;
     JSObject *holder = singleton.ensureHolder(cx, wrapper);
     if (isResolving(cx, holder, id)) {
         if (!desc.hasAttributes(JSPROP_GETTER | JSPROP_SETTER)) {
             if (!desc.getter())
                 desc.setGetter(holder_get);
             if (!desc.setter())
                 desc.setSetter(holder_set);
         }
         *defined = true;
         return JS_DefinePropertyById(cx, holder, id, desc.value(), desc.getter(), desc.setter(),
                                      desc.attributes());
     }
     // Check for an indexed property on a Window.  If that's happening, do
     // nothing but claim we defined it so it won't get added as an expando.
     int32_t index = GetArrayIndexFromId(cx, id);
     if (IsArrayIndex(index) && IsWindow(cx, wrapper)) {
         *defined = true;
         return true;
     }
     return true;
 }
 bool
 XPCWrappedNativeXrayTraits::enumerateNames(JSContext *cx, HandleObject wrapper, unsigned flags,
                                            AutoIdVector &props)
 {
     // Force all native properties to be materialized onto the wrapped native.
     AutoIdVector wnProps(cx);
     {
         RootedObject target(cx, singleton.getTargetObject(wrapper));
         JSAutoCompartment ac(cx, target);
         if (!js::GetPropertyNames(cx, target, flags, &wnProps))
             return false;
     }
     if (!JS_WrapAutoIdVector(cx, wnProps))
         return false;
     // Go through the properties we got and enumerate all native ones.
     for (size_t n = 0; n < wnProps.length(); ++n) {
         RootedId id(cx, wnProps[n]);
         bool hasProp;
         if (!JS_HasPropertyById(cx, wrapper, id, &hasProp))
             return false;
         if (hasProp)
             props.append(id);
     }
     return true;
 }
 JSObject *
 XPCWrappedNativeXrayTraits::createHolder(JSContext *cx, JSObject *wrapper)
 {
     RootedObject global(cx, JS_GetGlobalForObject(cx, wrapper));
     JSObject *holder = JS_NewObjectWithGivenProto(cx, &HolderClass, JS::NullPtr(),
                                                   global);
     if (!holder)
         return nullptr;
     js::SetReservedSlot(holder, JSSLOT_RESOLVING, PrivateValue(nullptr));
     return holder;
 }
 bool
 XPCWrappedNativeXrayTraits::call(JSContext *cx, HandleObject wrapper,
                                  const JS::CallArgs &args,
                                  js::Wrapper& baseInstance)
 {
     // Run the resolve hook of the wrapped native.
     XPCWrappedNative *wn = getWN(wrapper);
     if (NATIVE_HAS_FLAG(wn, WantCall)) {
         XPCCallContext ccx(JS_CALLER, cx, wrapper, NullPtr(), JSID_VOIDHANDLE, args.length(),
                            args.array(), args.rval().address());
         if (!ccx.IsValid())
             return false;
         bool ok = true;
         nsresult rv = wn->GetScriptableInfo()->GetCallback()->Call(
             wn, cx, wrapper, args, &ok);
         if (NS_FAILED(rv)) {
             if (ok)
                 XPCThrower::Throw(rv, cx);
             return false;
         }
     }
     return true;
 }
 bool
 XPCWrappedNativeXrayTraits::construct(JSContext *cx, HandleObject wrapper,
                                       const JS::CallArgs &args,
                                       js::Wrapper& baseInstance)
 {
     // Run the resolve hook of the wrapped native.
     XPCWrappedNative *wn = getWN(wrapper);
     if (NATIVE_HAS_FLAG(wn, WantConstruct)) {
         XPCCallContext ccx(JS_CALLER, cx, wrapper, NullPtr(), JSID_VOIDHANDLE, args.length(),
                            args.array(), args.rval().address());
         if (!ccx.IsValid())
             return false;
         bool ok = true;
         nsresult rv = wn->GetScriptableInfo()->GetCallback()->Construct(
             wn, cx, wrapper, args, &ok);
         if (NS_FAILED(rv)) {
             if (ok)
                 XPCThrower::Throw(rv, cx);
             return false;
         }
     }
     return true;
 }
 bool
 DOMXrayTraits::resolveNativeProperty(JSContext *cx, HandleObject wrapper,
                                      HandleObject holder, HandleId id,
                                      MutableHandle<JSPropertyDescriptor> desc)
 {
     RootedObject obj(cx, getTargetObject(wrapper));
     if (!XrayResolveNativeProperty(cx, wrapper, obj, id, desc))
         return false;
     MOZ_ASSERT(!desc.object() || desc.object() == wrapper, "What did we resolve this on?");
     return true;
 }
 bool
 DOMXrayTraits::resolveOwnProperty(JSContext *cx, Wrapper &jsWrapper, HandleObject wrapper,
                                   HandleObject holder, HandleId id,
                                   MutableHandle<JSPropertyDescriptor> desc)
 {
     // Call the common code.
     bool ok = XrayTraits::resolveOwnProperty(cx, jsWrapper, wrapper, holder, id, desc);
     if (!ok || desc.object())
         return ok;
     // Check for indexed access on a window.
     int32_t index = GetArrayIndexFromId(cx, id);
     if (IsArrayIndex(index)) {
         nsGlobalWindow* win = AsWindow(cx, wrapper);
         // Note: As() unwraps outer windows to get to the inner window.
         if (win) {
             bool unused;
             nsCOMPtr<nsIDOMWindow> subframe = win->IndexedGetter(index, unused);
             if (subframe) {
                 nsGlobalWindow* global = static_cast<nsGlobalWindow*>(subframe.get());
                 global->EnsureInnerWindow();
                 JSObject* obj = global->FastGetGlobalJSObject();
                 if (MOZ_UNLIKELY(!obj)) {
                     // It's gone?
                     return xpc::Throw(cx, NS_ERROR_FAILURE);
                 }
                 desc.value().setObject(*obj);
                 FillPropertyDescriptor(desc, wrapper, true);
                 return JS_WrapPropertyDescriptor(cx, desc);
             }
         }
     }
     RootedObject obj(cx, getTargetObject(wrapper));
     if (!XrayResolveOwnProperty(cx, wrapper, obj, id, desc))
         return false;
     MOZ_ASSERT(!desc.object() || desc.object() == wrapper, "What did we resolve this on?");
     return true;
 }
 bool
 DOMXrayTraits::defineProperty(JSContext *cx, HandleObject wrapper, HandleId id,
                               MutableHandle<JSPropertyDescriptor> desc,
                               Handle<JSPropertyDescriptor> existingDesc, bool *defined)
 {
     // Check for an indexed property on a Window.  If that's happening, do
     // nothing but claim we defined it so it won't get added as an expando.
     if (IsWindow(cx, wrapper)) {
         int32_t index = GetArrayIndexFromId(cx, id);
         if (IsArrayIndex(index)) {
             *defined = true;
             return true;
         }
     }
     if (!existingDesc.object())
         return true;
     JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper));
     return XrayDefineProperty(cx, wrapper, obj, id, desc, defined);
 }
 bool
 DOMXrayTraits::set(JSContext *cx, HandleObject wrapper, HandleObject receiver, HandleId id,
                    bool strict, MutableHandleValue vp)
 {
     MOZ_ASSERT(xpc::WrapperFactory::IsXrayWrapper(wrapper));
     RootedObject obj(cx, getTargetObject(wrapper));
     if (IsDOMProxy(obj)) {
         DOMProxyHandler* handler = GetDOMProxyHandler(obj);
         bool done;
         if (!handler->setCustom(cx, obj, id, vp, &done))
             return false;
         if (done)
             return true;
     }
     return XrayTraits::set(cx, wrapper, receiver, id, strict, vp);
 }
 bool
 DOMXrayTraits::enumerateNames(JSContext *cx, HandleObject wrapper, unsigned flags,
                               AutoIdVector &props)
 {
     JS::Rooted<JSObject*> obj(cx, getTargetObject(wrapper));
     return XrayEnumerateProperties(cx, wrapper, obj, flags, props);
 }
 bool
 DOMXrayTraits::call(JSContext *cx, HandleObject wrapper,
                     const JS::CallArgs &args, js::Wrapper& baseInstance)
 {
     RootedObject obj(cx, getTargetObject(wrapper));
     const js::Class* clasp = js::GetObjectClass(obj);
     // What we have is either a WebIDL interface object, a WebIDL prototype
     // object, or a WebIDL instance object.  WebIDL prototype objects never have
     // a clasp->call.  WebIDL interface objects we want to invoke on the xray
     // compartment.  WebIDL instance objects either don't have a clasp->call or
     // are using "legacycaller", which basically means plug-ins.  We want to
     // call those on the content compartment.
     if (clasp->flags & JSCLASS_IS_DOMIFACEANDPROTOJSCLASS) {
         if (!clasp->call) {
             RootedValue v(cx, ObjectValue(*wrapper));
             js_ReportIsNotFunction(cx, v);
             return false;
         }
         // call it on the Xray compartment
         if (!clasp->call(cx, args.length(), args.base()))
             return false;
     } else {
         // This is only reached for WebIDL instance objects, and in practice
         // only for plugins.  Just call them on the content compartment.
         if (!baseInstance.call(cx, wrapper, args))
             return false;
     }
     return JS_WrapValue(cx, args.rval());
 }
 bool
 DOMXrayTraits::construct(JSContext *cx, HandleObject wrapper,
                          const JS::CallArgs &args, js::Wrapper& baseInstance)
 {
     RootedObject obj(cx, getTargetObject(wrapper));
     MOZ_ASSERT(mozilla::dom::HasConstructor(obj));
     const js::Class* clasp = js::GetObjectClass(obj);
     // See comments in DOMXrayTraits::call() explaining what's going on here.
     if (clasp->flags & JSCLASS_IS_DOMIFACEANDPROTOJSCLASS) {
         if (!clasp->construct) {
             RootedValue v(cx, ObjectValue(*wrapper));
             js_ReportIsNotFunction(cx, v);
             return false;
         }
         if (!clasp->construct(cx, args.length(), args.base()))
             return false;
     } else {
         if (!baseInstance.construct(cx, wrapper, args))
             return false;
     }
     if (!args.rval().isObject() || !JS_WrapValue(cx, args.rval()))
         return false;
     return true;
 }
 void
 DOMXrayTraits::preserveWrapper(JSObject *target)
 {
     nsISupports *identity = mozilla::dom::UnwrapDOMObjectToISupports(target);
     if (!identity)
         return;
     nsWrapperCache* cache = nullptr;
     CallQueryInterface(identity, &cache);
     if (cache)
         cache->PreserveWrapper(identity);
 }
 JSObject*
 DOMXrayTraits::createHolder(JSContext *cx, JSObject *wrapper)
 {
     RootedObject global(cx, JS_GetGlobalForObject(cx, wrapper));
     return JS_NewObjectWithGivenProto(cx, nullptr, JS::NullPtr(), global);
 }
 template <typename Base, typename Traits>
 XrayWrapper<Base, Traits>::XrayWrapper(unsigned flags)
   : Base(flags | WrapperFactory::IS_XRAY_WRAPPER_FLAG)
 {
     Base::setHasPrototype(Traits::HasPrototype);
 }
 template <typename Base, typename Traits>
 XrayWrapper<Base, Traits>::~XrayWrapper()
 {
 }
 namespace XrayUtils {
 JSObject *
 GetNativePropertiesObject(JSContext *cx, JSObject *wrapper)
 {
     MOZ_ASSERT(js::IsWrapper(wrapper) && WrapperFactory::IsXrayWrapper(wrapper),
                "bad object passed in");
     JSObject *holder = GetHolder(wrapper);
     MOZ_ASSERT(holder, "uninitialized wrapper being used?");
     return holder;
 }
 bool
 IsXrayResolving(JSContext *cx, HandleObject wrapper, HandleId id)
 {
     if (!WrapperFactory::IsXrayWrapper(wrapper) ||
         GetXrayType(wrapper) != XrayForWrappedNative)
     {
         return false;
     }
     JSObject *holder =
       XPCWrappedNativeXrayTraits::singleton.ensureHolder(cx, wrapper);
     return XPCWrappedNativeXrayTraits::isResolving(cx, holder, id);
 }
 bool
 HasNativeProperty(JSContext *cx, HandleObject wrapper, HandleId id, bool *hasProp)
 {
     MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
     XrayTraits *traits = GetXrayTraits(wrapper);
     MOZ_ASSERT(traits);
     RootedObject holder(cx, traits->ensureHolder(cx, wrapper));
     NS_ENSURE_TRUE(holder, false);
     *hasProp = false;
     Rooted<JSPropertyDescriptor> desc(cx);
     Wrapper *handler = Wrapper::wrapperHandler(wrapper);
     // Try resolveOwnProperty.
     Maybe<ResolvingId> resolvingId;
     if (traits == &XPCWrappedNativeXrayTraits::singleton)
         resolvingId.construct(cx, wrapper, id);
     if (!traits->resolveOwnProperty(cx, *handler, wrapper, holder, id, &desc))
         return false;
     if (desc.object()) {
         *hasProp = true;
         return true;
     }
     // Try the holder.
     bool found = false;
     if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found))
         return false;
     if (found) {
         *hasProp = true;
         return true;
     }
     // Try resolveNativeProperty.
     if (!traits->resolveNativeProperty(cx, wrapper, holder, id, &desc))
         return false;
     *hasProp = !!desc.object();
     return true;
 }
 } // namespace XrayUtils
 static bool
 XrayToString(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     if (!args.thisv().isObject()) {
         JS_ReportError(cx, "XrayToString called on an incompatible object");
         return false;
     }
     RootedObject wrapper(cx, &args.thisv().toObject());
     if (!wrapper)
         return false;
     if (IsWrapper(wrapper) &&
         GetProxyHandler(wrapper) == &sandboxCallableProxyHandler) {
         wrapper = xpc::SandboxCallableProxyHandler::wrappedObject(wrapper);
     }
     if (!IsWrapper(wrapper) || !WrapperFactory::IsXrayWrapper(wrapper)) {
         JS_ReportError(cx, "XrayToString called on an incompatible object");
         return false;
     }
     static const char start[] = "[object XrayWrapper ";
     static const char end[] = "]";
     RootedObject obj(cx, XrayTraits::getTargetObject(wrapper));
     XrayType type = GetXrayType(obj);
     if (type == XrayForDOMObject)
         return NativeToString(cx, wrapper, obj, start, end, args.rval());
     if (type != XrayForWrappedNative) {
         JS_ReportError(cx, "XrayToString called on an incompatible object");
         return false;
     }
     nsAutoString result;
     result.AppendASCII(start);
     XPCCallContext ccx(JS_CALLER, cx, obj);
     XPCWrappedNative *wn = XPCWrappedNativeXrayTraits::getWN(wrapper);
     char *wrapperStr = wn->ToString();
     if (!wrapperStr) {
         JS_ReportOutOfMemory(cx);
         return false;
     }
     result.AppendASCII(wrapperStr);
     JS_smprintf_free(wrapperStr);
     result.AppendASCII(end);
     JSString *str = JS_NewUCStringCopyN(cx, result.get(), result.Length());
     if (!str)
         return false;
     args.rval().setString(str);
     return true;
 }
 #ifdef DEBUG
 static void
 DEBUG_CheckXBLCallable(JSContext *cx, JSObject *obj)
 {
     // In general, we shouldn't have cross-compartment wrappers here, because
     // we should be running in an XBL scope, and the content prototype should
     // contain wrappers to functions defined in the XBL scope. But if the node
     // has been adopted into another compartment, those prototypes will now point
     // to a different XBL scope (which is ok).
     MOZ_ASSERT_IF(js::IsCrossCompartmentWrapper(obj),
                   xpc::IsXBLScope(js::GetObjectCompartment(js::UncheckedUnwrap(obj))));
     MOZ_ASSERT(JS_ObjectIsCallable(cx, obj));
 }
 static void
 DEBUG_CheckXBLLookup(JSContext *cx, JSPropertyDescriptor *desc)
 {
     if (!desc->obj)
         return;
     if (!desc->value.isUndefined()) {
         MOZ_ASSERT(desc->value.isObject());
         DEBUG_CheckXBLCallable(cx, &desc->value.toObject());
     }
     if (desc->getter) {
         MOZ_ASSERT(desc->attrs & JSPROP_GETTER);
         DEBUG_CheckXBLCallable(cx, JS_FUNC_TO_DATA_PTR(JSObject *, desc->getter));
     }
     if (desc->setter) {
         MOZ_ASSERT(desc->attrs & JSPROP_SETTER);
         DEBUG_CheckXBLCallable(cx, JS_FUNC_TO_DATA_PTR(JSObject *, desc->setter));
     }
 }
 #else
 #define DEBUG_CheckXBLLookup(a, b) {}
 #endif
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::isExtensible(JSContext *cx, JS::Handle<JSObject*> wrapper, bool *extensible)
 {
     // Xray wrappers are supposed to provide a clean view of the target
     // reflector, hiding any modifications by script in the target scope.  So
     // even if that script freezes the reflector, we don't want to make that
     // visible to the caller. DOM reflectors are always extensible by default,
     // so we can just return true here.
     *extensible = true;
     return true;
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::preventExtensions(JSContext *cx, HandleObject wrapper)
 {
     // See above.
     JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_CANT_CHANGE_EXTENSIBILITY);
     return false;
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::getPropertyDescriptor(JSContext *cx, HandleObject wrapper, HandleId id,
                                                  JS::MutableHandle<JSPropertyDescriptor> desc)
 {
     assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::GET | BaseProxyHandler::SET);
     RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper));
     if (Traits::isResolving(cx, holder, id)) {
         desc.object().set(nullptr);
         return true;
     }
     typename Traits::ResolvingIdImpl resolving(cx, wrapper, id);
     if (!holder)
         return false;
     // Ordering is important here.
     //
     // We first need to call resolveOwnProperty, even before checking the holder,
     // because there might be a new dynamic |own| property that appears and
     // shadows a previously-resolved non-own property that we cached on the
     // holder. This can happen with indexed properties on NodeLists, for example,
     // which are |own| value props.
     //
     // resolveOwnProperty may or may not cache what it finds on the holder,
     // depending on how ephemeral it decides the property is. XPCWN |own|
     // properties generally end up on the holder via NewResolve, whereas
     // NodeList |own| properties don't get defined on the holder, since they're
     // supposed to be dynamic. This means that we have to first check the result
     // of resolveOwnProperty, and _then_, if that comes up blank, check the
     // holder for any cached native properties.
     //
     // Finally, we call resolveNativeProperty, which checks non-own properties,
     // and unconditionally caches what it finds on the holder.
     // Check resolveOwnProperty.
     if (!Traits::singleton.resolveOwnProperty(cx, *this, wrapper, holder, id, desc))
         return false;
     // Check the holder.
     if (!desc.object() && !JS_GetPropertyDescriptorById(cx, holder, id, desc))
         return false;
     if (desc.object()) {
         desc.object().set(wrapper);
         return true;
     }
     // Nothing in the cache. Call through, and cache the result.
     if (!Traits::singleton.resolveNativeProperty(cx, wrapper, holder, id, desc))
         return false;
     // We need to handle named access on the Window somewhere other than
     // Traits::resolveOwnProperty, because per spec it happens on the Global
     // Scope Polluter and thus the resulting properties are non-|own|. However,
     // we're set up (above) to cache (on the holder) anything that comes out of
     // resolveNativeProperty, which we don't want for something dynamic like
     // named access. So we just handle it separately here.
     nsGlobalWindow *win = nullptr;
     if (!desc.object() &&
         JSID_IS_STRING(id) &&
         (win = AsWindow(cx, wrapper)))
     {
         nsDependentJSString name(id);
         nsCOMPtr<nsIDOMWindow> childDOMWin = win->GetChildWindow(name);
         if (childDOMWin) {
             nsGlobalWindow *cwin = static_cast<nsGlobalWindow*>(childDOMWin.get());
             JSObject *childObj = cwin->FastGetGlobalJSObject();
             if (MOZ_UNLIKELY(!childObj))
                 return xpc::Throw(cx, NS_ERROR_FAILURE);
             FillPropertyDescriptor(desc, wrapper, ObjectValue(*childObj),
                                    /* readOnly = */ true);
             return JS_WrapPropertyDescriptor(cx, desc);
         }
     }
     if (!desc.object() &&
         id == nsXPConnect::GetRuntimeInstance()->GetStringID(XPCJSRuntime::IDX_TO_STRING))
     {
         JSFunction *toString = JS_NewFunction(cx, XrayToString, 0, 0, wrapper, "toString");
         if (!toString)
             return false;
         desc.object().set(wrapper);
         desc.setAttributes(0);
         desc.setGetter(nullptr);
         desc.setSetter(nullptr);
         desc.value().setObject(*JS_GetFunctionObject(toString));
     }
     // If we're a special scope for in-content XBL, our script expects to see
     // the bound XBL methods and attributes when accessing content. However,
     // these members are implemented in content via custom-spliced prototypes,
     // and thus aren't visible through Xray wrappers unless we handle them
     // explicitly. So we check if we're running in such a scope, and if so,
     // whether the wrappee is a bound element. If it is, we do a lookup via
     // specialized XBL machinery.
     //
     // While we have to do some sketchy walking through content land, we should
     // be protected by read-only/non-configurable properties, and any functions
     // we end up with should _always_ be living in an XBL scope (usually ours,
     // but could be another if the node has been adopted).
     //
     // Make sure to assert this.
     nsCOMPtr<nsIContent> content;
     if (!desc.object() &&
         EnsureCompartmentPrivate(wrapper)->scope->IsXBLScope() &&
         (content = do_QueryInterfaceNative(cx, wrapper)))
     {
         if (!nsContentUtils::LookupBindingMember(cx, content, id, desc))
             return false;
         DEBUG_CheckXBLLookup(cx, desc.address());
     }
     // If we still have nothing, we're done.
     if (!desc.object())
         return true;
     if (!JS_DefinePropertyById(cx, holder, id, desc.value(), desc.getter(),
                                desc.setter(), desc.attributes()) ||
         !JS_GetPropertyDescriptorById(cx, holder, id, desc))
     {
         return false;
     }
     MOZ_ASSERT(desc.object());
     desc.object().set(wrapper);
     return true;
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::getOwnPropertyDescriptor(JSContext *cx, HandleObject wrapper, HandleId id,
                                                     JS::MutableHandle<JSPropertyDescriptor> desc)
 {
     assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::GET | BaseProxyHandler::SET);
     RootedObject holder(cx, Traits::singleton.ensureHolder(cx, wrapper));
     if (Traits::isResolving(cx, holder, id)) {
         desc.object().set(nullptr);
         return true;
     }
     typename Traits::ResolvingIdImpl resolving(cx, wrapper, id);
     // NB: Nothing we do here acts on the wrapped native itself, so we don't
     // enter our policy.
     if (!Traits::singleton.resolveOwnProperty(cx, *this, wrapper, holder, id, desc))
         return false;
     if (desc.object())
         desc.object().set(wrapper);
     return true;
 }
 // Consider what happens when chrome does |xray.expando = xray.wrappedJSObject|.
 //
 // Since the expando comes from the target compartment, wrapping it back into
 // the target compartment to define it on the expando object ends up stripping
 // off the Xray waiver that gives |xray| and |xray.wrappedJSObject| different
 // identities. This is generally the right thing to do when wrapping across
 // compartments, but is incorrect in the special case of the Xray expando
 // object. Manually re-apply Xrays if necessary.
 //
 // NB: In order to satisfy the invariants of WaiveXray, we need to pass
 // in an object sans security wrapper, which means we need to strip off any
 // potential same-compartment security wrapper that may have been applied
 // to the content object. This is ok, because the the expando object is only
 // ever accessed by code across the compartment boundary.
 static bool
 RecreateLostWaivers(JSContext *cx, JSPropertyDescriptor *orig,
                     MutableHandle<JSPropertyDescriptor> wrapped)
 {
     // Compute whether the original objects were waived, and implicitly, whether
     // they were objects at all.
     bool valueWasWaived =
         orig->value.isObject() &&
         WrapperFactory::HasWaiveXrayFlag(&orig->value.toObject());
     bool getterWasWaived =
         (orig->attrs & JSPROP_GETTER) &&
         WrapperFactory::HasWaiveXrayFlag(JS_FUNC_TO_DATA_PTR(JSObject*, orig->getter));
     bool setterWasWaived =
         (orig->attrs & JSPROP_SETTER) &&
         WrapperFactory::HasWaiveXrayFlag(JS_FUNC_TO_DATA_PTR(JSObject*, orig->setter));
     // Recreate waivers. Note that for value, we need an extra UncheckedUnwrap
     // to handle same-compartment security wrappers (see above). This should
     // never happen for getters/setters.
     RootedObject rewaived(cx);
     if (valueWasWaived && !IsCrossCompartmentWrapper(&wrapped.value().toObject())) {
         rewaived = &wrapped.value().toObject();
         rewaived = WrapperFactory::WaiveXray(cx, UncheckedUnwrap(rewaived));
         NS_ENSURE_TRUE(rewaived, false);
         wrapped.value().set(ObjectValue(*rewaived));
     }
     if (getterWasWaived && !IsCrossCompartmentWrapper(wrapped.getterObject())) {
         MOZ_ASSERT(CheckedUnwrap(wrapped.getterObject()));
         rewaived = WrapperFactory::WaiveXray(cx, wrapped.getterObject());
         NS_ENSURE_TRUE(rewaived, false);
         wrapped.setGetterObject(rewaived);
     }
     if (setterWasWaived && !IsCrossCompartmentWrapper(wrapped.setterObject())) {
         MOZ_ASSERT(CheckedUnwrap(wrapped.setterObject()));
         rewaived = WrapperFactory::WaiveXray(cx, wrapped.setterObject());
         NS_ENSURE_TRUE(rewaived, false);
         wrapped.setSetterObject(rewaived);
     }
     return true;
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::defineProperty(JSContext *cx, HandleObject wrapper,
                                           HandleId id, MutableHandle<JSPropertyDescriptor> desc)
 {
     assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET);
     Rooted<JSPropertyDescriptor> existing_desc(cx);
     if (!getOwnPropertyDescriptor(cx, wrapper, id, &existing_desc))
         return false;
     if (existing_desc.object() && existing_desc.isPermanent())
         return true; // silently ignore attempt to overwrite native property
     bool defined = false;
     if (!Traits::defineProperty(cx, wrapper, id, desc, existing_desc, &defined))
         return false;
     if (defined)
         return true;
     // We're placing an expando. The expando objects live in the target
     // compartment, so we need to enter it.
     RootedObject target(cx, Traits::singleton.getTargetObject(wrapper));
     JSAutoCompartment ac(cx, target);
     // Grab the relevant expando object.
     RootedObject expandoObject(cx, Traits::singleton.ensureExpandoObject(cx, wrapper,
                                                                          target));
     if (!expandoObject)
         return false;
     // Wrap the property descriptor for the target compartment.
     Rooted<JSPropertyDescriptor> wrappedDesc(cx, desc);
     if (!JS_WrapPropertyDescriptor(cx, &wrappedDesc))
         return false;
     // Fix up Xray waivers.
     if (!RecreateLostWaivers(cx, desc.address(), &wrappedDesc))
         return false;
     return JS_DefinePropertyById(cx, expandoObject, id, wrappedDesc.value(),
                                  wrappedDesc.getter(), wrappedDesc.setter(),
                                  wrappedDesc.get().attrs);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::getOwnPropertyNames(JSContext *cx, HandleObject wrapper,
                                                AutoIdVector &props)
 {
     assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::ENUMERATE);
     return enumerate(cx, wrapper, JSITER_OWNONLY | JSITER_HIDDEN, props);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::delete_(JSContext *cx, HandleObject wrapper,
                                    HandleId id, bool *bp)
 {
     assertEnteredPolicy(cx, wrapper, id, BaseProxyHandler::SET);
     // Check the expando object.
     RootedObject target(cx, Traits::getTargetObject(wrapper));
     RootedObject expando(cx, Traits::singleton.getExpandoObject(cx, target, wrapper));
     if (expando) {
         JSAutoCompartment ac(cx, expando);
         return JS_DeletePropertyById2(cx, expando, id, bp);
     }
     *bp = true;
     return true;
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::enumerate(JSContext *cx, HandleObject wrapper, unsigned flags,
                                      AutoIdVector &props)
 {
     assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::ENUMERATE);
     if (!AccessCheck::wrapperSubsumes(wrapper)) {
         JS_ReportError(cx, "Not allowed to enumerate cross origin objects");
         return false;
     }
     // Enumerate expando properties first. Note that the expando object lives
     // in the target compartment.
     RootedObject target(cx, Traits::singleton.getTargetObject(wrapper));
     RootedObject expando(cx, Traits::singleton.getExpandoObject(cx, target, wrapper));
     if (expando) {
         JSAutoCompartment ac(cx, expando);
         if (!js::GetPropertyNames(cx, expando, flags, &props))
             return false;
     }
     if (!JS_WrapAutoIdVector(cx, props))
         return false;
     return Traits::singleton.enumerateNames(cx, wrapper, flags, props);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::enumerate(JSContext *cx, HandleObject wrapper,
                                     AutoIdVector &props)
 {
     return enumerate(cx, wrapper, 0, props);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::get(JSContext *cx, HandleObject wrapper,
                                HandleObject receiver, HandleId id,
                                MutableHandleValue vp)
 {
     // Skip our Base if it isn't already ProxyHandler.
     // NB: None of the functions we call are prepared for the receiver not
     // being the wrapper, so ignore the receiver here.
     return js::BaseProxyHandler::get(cx, wrapper, Traits::HasPrototype ? receiver : wrapper, id, vp);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::set(JSContext *cx, HandleObject wrapper,
                                HandleObject receiver, HandleId id,
                                bool strict, MutableHandleValue vp)
 {
     // Delegate to Traits.
     // NB: None of the functions we call are prepared for the receiver not
     // being the wrapper, so ignore the receiver here.
     return Traits::set(cx, wrapper, Traits::HasPrototype ? receiver : wrapper, id, strict, vp);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::has(JSContext *cx, HandleObject wrapper,
                                HandleId id, bool *bp)
 {
     // Skip our Base if it isn't already ProxyHandler.
     return js::BaseProxyHandler::has(cx, wrapper, id, bp);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::hasOwn(JSContext *cx, HandleObject wrapper,
                                   HandleId id, bool *bp)
 {
     // Skip our Base if it isn't already ProxyHandler.
     return js::BaseProxyHandler::hasOwn(cx, wrapper, id, bp);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::keys(JSContext *cx, HandleObject wrapper,
                                 AutoIdVector &props)
 {
     // Skip our Base if it isn't already ProxyHandler.
     return js::BaseProxyHandler::keys(cx, wrapper, props);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::iterate(JSContext *cx, HandleObject wrapper,
                                    unsigned flags, MutableHandleValue vp)
 {
     // Skip our Base if it isn't already ProxyHandler.
     return js::BaseProxyHandler::iterate(cx, wrapper, flags, vp);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::call(JSContext *cx, HandleObject wrapper, const JS::CallArgs &args)
 {
     assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::CALL);
     return Traits::call(cx, wrapper, args, Base::singleton);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::construct(JSContext *cx, HandleObject wrapper, const JS::CallArgs &args)
 {
     assertEnteredPolicy(cx, wrapper, JSID_VOID, BaseProxyHandler::CALL);
     return Traits::construct(cx, wrapper, args, Base::singleton);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::defaultValue(JSContext *cx, HandleObject wrapper,
                                         JSType hint, MutableHandleValue vp)
 {
     // Even if this isn't a security wrapper, Xray semantics dictate that we
     // run the DefaultValue algorithm directly on the Xray wrapper.
     //
     // NB: We don't have to worry about things with special [[DefaultValue]]
     // behavior like Date because we'll never have an XrayWrapper to them.
     return js::DefaultValue(cx, wrapper, hint, vp);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::getPrototypeOf(JSContext *cx, JS::HandleObject wrapper,
                                           JS::MutableHandleObject protop)
 {
     // We really only want this override for non-SecurityWrapper-inheriting
     // |Base|. But doing that statically with templates requires partial method
     // specializations (and therefore a helper class), which is all more trouble
     // than it's worth. Do a dynamic check.
     if (Base::hasSecurityPolicy())
         return Base::getPrototypeOf(cx, wrapper, protop);
     RootedObject target(cx, Traits::getTargetObject(wrapper));
     RootedObject expando(cx, Traits::singleton.getExpandoObject(cx, target, wrapper));
     // We want to keep the Xray's prototype distinct from that of content, but
     // only if there's been a set. If there's not an expando, or the expando
     // slot is |undefined|, hand back the default proto, appropriately wrapped.
     RootedValue v(cx);
     if (expando) {
         JSAutoCompartment ac(cx, expando);
         v = JS_GetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE);
     }
     if (v.isUndefined())
         return getPrototypeOfHelper(cx, wrapper, target, protop);
     protop.set(v.toObjectOrNull());
     return JS_WrapObject(cx, protop);
 }
 template <typename Base, typename Traits>
 bool
 XrayWrapper<Base, Traits>::setPrototypeOf(JSContext *cx, JS::HandleObject wrapper,
                                           JS::HandleObject proto, bool *bp)
 {
     // Do this only for non-SecurityWrapper-inheriting |Base|. See the comment
     // in getPrototypeOf().
     if (Base::hasSecurityPolicy())
         return Base::setPrototypeOf(cx, wrapper, proto, bp);
     RootedObject target(cx, Traits::getTargetObject(wrapper));
     RootedObject expando(cx, Traits::singleton.ensureExpandoObject(cx, wrapper, target));
     // The expando lives in the target's compartment, so do our installation there.
     JSAutoCompartment ac(cx, target);
     RootedValue v(cx, ObjectOrNullValue(proto));
     if (!JS_WrapValue(cx, &v))
         return false;
     JS_SetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE, v);
     *bp = true;
     return true;
 }
 /*
  * The Permissive / Security variants should be used depending on whether the
  * compartment of the wrapper is guranteed to subsume the compartment of the
  * wrapped object (i.e. - whether it is safe from a security perspective to
  * unwrap the wrapper).
  */
 template<>
 PermissiveXrayXPCWN PermissiveXrayXPCWN::singleton(0);
 template class PermissiveXrayXPCWN;
 template<>
 SecurityXrayXPCWN SecurityXrayXPCWN::singleton(0);
 template class SecurityXrayXPCWN;
 template<>
 PermissiveXrayDOM PermissiveXrayDOM::singleton(0);
 template class PermissiveXrayDOM;
 template<>
 SecurityXrayDOM SecurityXrayDOM::singleton(0);
 template class SecurityXrayDOM;
 template<>
 PermissiveXrayJS PermissiveXrayJS::singleton(0);
 template class PermissiveXrayJS;
 template<>
 SCSecurityXrayXPCWN SCSecurityXrayXPCWN::singleton(0);
 template class SCSecurityXrayXPCWN;
 static nsQueryInterface
 do_QueryInterfaceNative(JSContext* cx, HandleObject wrapper)
 {
     nsISupports* nativeSupports = nullptr;
     if (IsWrapper(wrapper) && WrapperFactory::IsXrayWrapper(wrapper)) {
         RootedObject target(cx, XrayTraits::getTargetObject(wrapper));
         XrayType type = GetXrayType(target);
         if (type == XrayForDOMObject) {
             nativeSupports = UnwrapDOMObjectToISupports(target);
         } else if (type == XrayForWrappedNative) {
             XPCWrappedNative *wn = XPCWrappedNative::Get(target);
             nativeSupports = wn->Native();
         }
     } else {
         nsIXPConnect *xpc = nsXPConnect::XPConnect();
         nativeSupports = xpc->GetNativeOfWrapper(cx, wrapper);
     }
     return nsQueryInterface(nativeSupports);
 }
 }

The Tor Browser / annotate

js/xpconnect/wrappers/XrayWrapper.cpp@129ffea94266 (annotated)

js/xpconnect/wrappers/XrayWrapper.cpp