The Tor Browser: dom/plugins/base/nsJSNPRuntime.cpp@b8a032363ba2 (annotated)

dom/plugins/base/nsJSNPRuntime.cpp@b8a032363ba2 (annotated)

dom/plugins/base/nsJSNPRuntime.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "base/basictypes.h"
 #include "jsfriendapi.h"
 #include "jswrapper.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsJSNPRuntime.h"
 #include "nsNPAPIPlugin.h"
 #include "nsNPAPIPluginInstance.h"
 #include "nsIScriptGlobalObject.h"
 #include "nsIScriptContext.h"
 #include "nsDOMJSUtils.h"
 #include "nsCxPusher.h"
 #include "nsIDocument.h"
 #include "nsIJSRuntimeService.h"
 #include "nsIXPConnect.h"
 #include "nsIDOMElement.h"
 #include "prmem.h"
 #include "nsIContent.h"
 #include "nsPluginInstanceOwner.h"
 #include "nsWrapperCacheInlines.h"
 #include "js/HashTable.h"
 #include "mozilla/HashFunctions.h"
 #define NPRUNTIME_JSCLASS_NAME "NPObject JS wrapper class"
 using namespace mozilla::plugins::parent;
 using namespace mozilla;
 #include "mozilla/plugins/PluginScriptableObjectParent.h"
 using mozilla::plugins::PluginScriptableObjectParent;
 using mozilla::plugins::ParentNPObject;
 struct JSObjWrapperHasher : public js::DefaultHasher<nsJSObjWrapperKey>
 {
   typedef nsJSObjWrapperKey Key;
   typedef Key Lookup;
   static uint32_t hash(const Lookup &l) {
     return HashGeneric(l.mJSObj, l.mNpp);
   }
   static void rekey(Key &k, const Key& newKey) {
     MOZ_ASSERT(k.mNpp == newKey.mNpp);
     k.mJSObj = newKey.mJSObj;
   }
 };
 // Hash of JSObject wrappers that wraps JSObjects as NPObjects. There
 // will be one wrapper per JSObject per plugin instance, i.e. if two
 // plugins access the JSObject x, two wrappers for x will be
 // created. This is needed to be able to properly drop the wrappers
 // when a plugin is torn down in case there's a leak in the plugin (we
 // don't want to leak the world just because a plugin leaks an
 // NPObject).
 typedef js::HashMap<nsJSObjWrapperKey,
                     nsJSObjWrapper*,
                     JSObjWrapperHasher,
                     js::SystemAllocPolicy> JSObjWrapperTable;
 static JSObjWrapperTable sJSObjWrappers;
 // Whether it's safe to iterate sJSObjWrappers.  Set to true when sJSObjWrappers
 // has been initialized and is not currently being enumerated.
 static bool sJSObjWrappersAccessible = false;
 // Hash of NPObject wrappers that wrap NPObjects as JSObjects.
 static PLDHashTable sNPObjWrappers;
 // Global wrapper count. This includes JSObject wrappers *and*
 // NPObject wrappers. When this count goes to zero, there are no more
 // wrappers and we can kill off hash tables etc.
 static int32_t sWrapperCount;
 // The JSRuntime. Used to unroot JSObjects when no JSContext is
 // reachable.
 static JSRuntime *sJSRuntime;
 static nsTArray<NPObject*>* sDelayedReleases;
 namespace {
 inline bool
 NPObjectIsOutOfProcessProxy(NPObject *obj)
 {
   return obj->_class == PluginScriptableObjectParent::GetClass();
 }
 } // anonymous namespace
 // Helper class that reports any JS exceptions that were thrown while
 // the plugin executed JS.
 class AutoJSExceptionReporter
 {
 public:
   AutoJSExceptionReporter(JSContext *cx)
     : mCx(cx)
   {
   }
   ~AutoJSExceptionReporter()
   {
     JS_ReportPendingException(mCx);
   }
 protected:
   JSContext *mCx;
 };
 NPClass nsJSObjWrapper::sJSObjWrapperNPClass =
   {
     NP_CLASS_STRUCT_VERSION,
     nsJSObjWrapper::NP_Allocate,
     nsJSObjWrapper::NP_Deallocate,
     nsJSObjWrapper::NP_Invalidate,
     nsJSObjWrapper::NP_HasMethod,
     nsJSObjWrapper::NP_Invoke,
     nsJSObjWrapper::NP_InvokeDefault,
     nsJSObjWrapper::NP_HasProperty,
     nsJSObjWrapper::NP_GetProperty,
     nsJSObjWrapper::NP_SetProperty,
     nsJSObjWrapper::NP_RemoveProperty,
     nsJSObjWrapper::NP_Enumerate,
     nsJSObjWrapper::NP_Construct
   };
 static bool
 NPObjWrapper_AddProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp);
 static bool
 NPObjWrapper_DelProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, bool *succeeded);
 static bool
 NPObjWrapper_SetProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, bool strict,
                          JS::MutableHandle<JS::Value> vp);
 static bool
 NPObjWrapper_GetProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp);
 static bool
 NPObjWrapper_newEnumerate(JSContext *cx, JS::Handle<JSObject*> obj, JSIterateOp enum_op,
                           JS::Value *statep, jsid *idp);
 static bool
 NPObjWrapper_NewResolve(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id,
                         JS::MutableHandle<JSObject*> objp);
 static bool
 NPObjWrapper_Convert(JSContext *cx, JS::Handle<JSObject*> obj, JSType type, JS::MutableHandle<JS::Value> vp);
 static void
 NPObjWrapper_Finalize(JSFreeOp *fop, JSObject *obj);
 static bool
 NPObjWrapper_Call(JSContext *cx, unsigned argc, JS::Value *vp);
 static bool
 NPObjWrapper_Construct(JSContext *cx, unsigned argc, JS::Value *vp);
 static bool
 CreateNPObjectMember(NPP npp, JSContext *cx, JSObject *obj, NPObject* npobj,
                      JS::Handle<jsid> id,  NPVariant* getPropertyResult,
                      JS::MutableHandle<JS::Value> vp);
 const JSClass sNPObjectJSWrapperClass =
   {
     NPRUNTIME_JSCLASS_NAME,
     JSCLASS_HAS_PRIVATE | JSCLASS_IMPLEMENTS_BARRIERS | JSCLASS_NEW_RESOLVE | JSCLASS_NEW_ENUMERATE,
     NPObjWrapper_AddProperty,
     NPObjWrapper_DelProperty,
     NPObjWrapper_GetProperty,
     NPObjWrapper_SetProperty,
     (JSEnumerateOp)NPObjWrapper_newEnumerate,
     (JSResolveOp)NPObjWrapper_NewResolve,
     NPObjWrapper_Convert,
     NPObjWrapper_Finalize,
     NPObjWrapper_Call,
     nullptr,                                                /* hasInstance */
     NPObjWrapper_Construct
   };
 typedef struct NPObjectMemberPrivate {
     JS::Heap<JSObject *> npobjWrapper;
     JS::Heap<JS::Value> fieldValue;
     JS::Heap<jsid> methodName;
     NPP   npp;
 } NPObjectMemberPrivate;
 static bool
 NPObjectMember_Convert(JSContext *cx, JS::Handle<JSObject*> obj, JSType type, JS::MutableHandle<JS::Value> vp);
 static void
 NPObjectMember_Finalize(JSFreeOp *fop, JSObject *obj);
 static bool
 NPObjectMember_Call(JSContext *cx, unsigned argc, JS::Value *vp);
 static void
 NPObjectMember_Trace(JSTracer *trc, JSObject *obj);
 static const JSClass sNPObjectMemberClass =
   {
     "NPObject Ambiguous Member class", JSCLASS_HAS_PRIVATE | JSCLASS_IMPLEMENTS_BARRIERS,
     JS_PropertyStub, JS_DeletePropertyStub,
     JS_PropertyStub, JS_StrictPropertyStub, JS_EnumerateStub,
     JS_ResolveStub, NPObjectMember_Convert,
     NPObjectMember_Finalize, NPObjectMember_Call,
     nullptr, nullptr, NPObjectMember_Trace
   };
 static void
 OnWrapperDestroyed();
 static void
 DelayedReleaseGCCallback(JSGCStatus status)
 {
   if (JSGC_END == status) {
     // Take ownership of sDelayedReleases and null it out now. The
     // _releaseobject call below can reenter GC and double-free these objects.
     nsAutoPtr<nsTArray<NPObject*> > delayedReleases(sDelayedReleases);
     sDelayedReleases = nullptr;
     if (delayedReleases) {
       for (uint32_t i = 0; i < delayedReleases->Length(); ++i) {
         NPObject* obj = (*delayedReleases)[i];
         if (obj)
           _releaseobject(obj);
         OnWrapperDestroyed();
       }
     }
   }
 }
 static void
 OnWrapperCreated()
 {
   if (sWrapperCount++ == 0) {
     static const char rtsvc_id[] = "@mozilla.org/js/xpc/RuntimeService;1";
     nsCOMPtr<nsIJSRuntimeService> rtsvc(do_GetService(rtsvc_id));
     if (!rtsvc)
       return;
     rtsvc->GetRuntime(&sJSRuntime);
     NS_ASSERTION(sJSRuntime != nullptr, "no JSRuntime?!");
     // Register our GC callback to perform delayed destruction of finalized
     // NPObjects. Leave this callback around and don't ever unregister it.
     rtsvc->RegisterGCCallback(DelayedReleaseGCCallback);
   }
 }
 static void
 OnWrapperDestroyed()
 {
   NS_ASSERTION(sWrapperCount, "Whaaa, unbalanced created/destroyed calls!");
   if (--sWrapperCount == 0) {
     if (sJSObjWrappersAccessible) {
       MOZ_ASSERT(sJSObjWrappers.count() == 0);
       // No more wrappers, and our hash was initialized. Finish the
       // hash to prevent leaking it.
       sJSObjWrappers.finish();
       sJSObjWrappersAccessible = false;
     }
     if (sNPObjWrappers.ops) {
       MOZ_ASSERT(sNPObjWrappers.entryCount == 0);
       // No more wrappers, and our hash was initialized. Finish the
       // hash to prevent leaking it.
       PL_DHashTableFinish(&sNPObjWrappers);
       sNPObjWrappers.ops = nullptr;
     }
     // No more need for this.
     sJSRuntime = nullptr;
   }
 }
 namespace mozilla {
 namespace plugins {
 namespace parent {
 JSContext *
 GetJSContext(NPP npp)
 {
   NS_ENSURE_TRUE(npp, nullptr);
   nsNPAPIPluginInstance *inst = (nsNPAPIPluginInstance *)npp->ndata;
   NS_ENSURE_TRUE(inst, nullptr);
   nsRefPtr<nsPluginInstanceOwner> owner = inst->GetOwner();
   NS_ENSURE_TRUE(owner, nullptr);
   nsCOMPtr<nsIDocument> doc;
   owner->GetDocument(getter_AddRefs(doc));
   NS_ENSURE_TRUE(doc, nullptr);
   nsCOMPtr<nsISupports> documentContainer = doc->GetContainer();
   nsCOMPtr<nsIScriptGlobalObject> sgo(do_GetInterface(documentContainer));
   NS_ENSURE_TRUE(sgo, nullptr);
   nsIScriptContext *scx = sgo->GetContext();
   NS_ENSURE_TRUE(scx, nullptr);
   return scx->GetNativeContext();
 }
 }
 }
 }
 static NPP
 LookupNPP(NPObject *npobj);
 static JS::Value
 NPVariantToJSVal(NPP npp, JSContext *cx, const NPVariant *variant)
 {
   switch (variant->type) {
   case NPVariantType_Void :
     return JSVAL_VOID;
   case NPVariantType_Null :
     return JSVAL_NULL;
   case NPVariantType_Bool :
     return BOOLEAN_TO_JSVAL(NPVARIANT_TO_BOOLEAN(*variant));
   case NPVariantType_Int32 :
     {
       // Don't use INT_TO_JSVAL directly to prevent bugs when dealing
       // with ints larger than what fits in a integer JS::Value.
       return ::JS_NumberValue(NPVARIANT_TO_INT32(*variant));
     }
   case NPVariantType_Double :
     {
       return ::JS_NumberValue(NPVARIANT_TO_DOUBLE(*variant));
     }
   case NPVariantType_String :
     {
       const NPString *s = &NPVARIANT_TO_STRING(*variant);
       NS_ConvertUTF8toUTF16 utf16String(s->UTF8Characters, s->UTF8Length);
       JSString *str =
         ::JS_NewUCStringCopyN(cx, utf16String.get(), utf16String.Length());
       if (str) {
         return STRING_TO_JSVAL(str);
       }
       break;
     }
   case NPVariantType_Object:
     {
       if (npp) {
         JSObject *obj =
           nsNPObjWrapper::GetNewOrUsed(npp, cx, NPVARIANT_TO_OBJECT(*variant));
         if (obj) {
           return OBJECT_TO_JSVAL(obj);
         }
       }
       NS_ERROR("Error wrapping NPObject!");
       break;
     }
   default:
     NS_ERROR("Unknown NPVariant type!");
   }
   NS_ERROR("Unable to convert NPVariant to jsval!");
   return JSVAL_VOID;
 }
 bool
 JSValToNPVariant(NPP npp, JSContext *cx, JS::Value val, NPVariant *variant)
 {
   NS_ASSERTION(npp, "Must have an NPP to wrap a jsval!");
   if (JSVAL_IS_PRIMITIVE(val)) {
     if (val == JSVAL_VOID) {
       VOID_TO_NPVARIANT(*variant);
     } else if (JSVAL_IS_NULL(val)) {
       NULL_TO_NPVARIANT(*variant);
     } else if (JSVAL_IS_BOOLEAN(val)) {
       BOOLEAN_TO_NPVARIANT(JSVAL_TO_BOOLEAN(val), *variant);
     } else if (JSVAL_IS_INT(val)) {
       INT32_TO_NPVARIANT(JSVAL_TO_INT(val), *variant);
     } else if (JSVAL_IS_DOUBLE(val)) {
       double d = JSVAL_TO_DOUBLE(val);
       int i;
       if (JS_DoubleIsInt32(d, &i)) {
         INT32_TO_NPVARIANT(i, *variant);
       } else {
         DOUBLE_TO_NPVARIANT(d, *variant);
       }
     } else if (JSVAL_IS_STRING(val)) {
       JSString *jsstr = JSVAL_TO_STRING(val);
       size_t length;
       const jschar *chars = ::JS_GetStringCharsZAndLength(cx, jsstr, &length);
       if (!chars) {
           return false;
       }
       nsDependentString str(chars, length);
       uint32_t len;
       char *p = ToNewUTF8String(str, &len);
       if (!p) {
         return false;
       }
       STRINGN_TO_NPVARIANT(p, len, *variant);
     } else {
       NS_ERROR("Unknown primitive type!");
       return false;
     }
     return true;
   }
   // The reflected plugin object may be in another compartment if the plugin
   // element has since been adopted into a new document. We don't bother
   // transplanting the plugin objects, and just do a unwrap with security
   // checks if we encounter one of them as an argument. If the unwrap fails,
   // we run with the original wrapped object, since sometimes there are
   // legitimate cases where a security wrapper ends up here (for example,
   // Location objects, which are _always_ behind security wrappers).
   JS::Rooted<JSObject*> obj(cx, val.toObjectOrNull());
   obj = js::CheckedUnwrap(obj);
   if (!obj) {
     obj = JSVAL_TO_OBJECT(val);
   }
   NPObject *npobj = nsJSObjWrapper::GetNewOrUsed(npp, cx, obj);
   if (!npobj) {
     return false;
   }
   // Pass over ownership of npobj to *variant
   OBJECT_TO_NPVARIANT(npobj, *variant);
   return true;
 }
 static void
 ThrowJSException(JSContext *cx, const char *message)
 {
   const char *ex = PeekException();
   if (ex) {
     nsAutoString ucex;
     if (message) {
       AppendASCIItoUTF16(message, ucex);
       AppendASCIItoUTF16(" [plugin exception: ", ucex);
     }
     AppendUTF8toUTF16(ex, ucex);
     if (message) {
       AppendASCIItoUTF16("].", ucex);
     }
     JSString *str = ::JS_NewUCStringCopyN(cx, ucex.get(), ucex.Length());
     if (str) {
       JS::Rooted<JS::Value> exn(cx, JS::StringValue(str));
       ::JS_SetPendingException(cx, exn);
     }
     PopException();
   } else {
     ::JS_ReportError(cx, message);
   }
 }
 static bool
 ReportExceptionIfPending(JSContext *cx)
 {
   const char *ex = PeekException();
   if (!ex) {
     return true;
   }
   ThrowJSException(cx, nullptr);
   return false;
 }
 nsJSObjWrapper::nsJSObjWrapper(NPP npp)
   : mJSObj(GetJSContext(npp), nullptr), mNpp(npp)
 {
   MOZ_COUNT_CTOR(nsJSObjWrapper);
   OnWrapperCreated();
 }
 nsJSObjWrapper::~nsJSObjWrapper()
 {
   MOZ_COUNT_DTOR(nsJSObjWrapper);
   // Invalidate first, since it relies on sJSRuntime and sJSObjWrappers.
   NP_Invalidate(this);
   OnWrapperDestroyed();
 }
 // static
 NPObject *
 nsJSObjWrapper::NP_Allocate(NPP npp, NPClass *aClass)
 {
   NS_ASSERTION(aClass == &sJSObjWrapperNPClass,
                "Huh, wrong class passed to NP_Allocate()!!!");
   return new nsJSObjWrapper(npp);
 }
 // static
 void
 nsJSObjWrapper::NP_Deallocate(NPObject *npobj)
 {
   // nsJSObjWrapper::~nsJSObjWrapper() will call NP_Invalidate().
   delete (nsJSObjWrapper *)npobj;
 }
 // static
 void
 nsJSObjWrapper::NP_Invalidate(NPObject *npobj)
 {
   nsJSObjWrapper *jsnpobj = (nsJSObjWrapper *)npobj;
   if (jsnpobj && jsnpobj->mJSObj) {
     if (sJSObjWrappersAccessible) {
       // Remove the wrapper from the hash
       nsJSObjWrapperKey key(jsnpobj->mJSObj, jsnpobj->mNpp);
       JSObjWrapperTable::Ptr ptr = sJSObjWrappers.lookup(key);
       MOZ_ASSERT(ptr.found());
       sJSObjWrappers.remove(ptr);
     }
     // Forget our reference to the JSObject.
     jsnpobj->mJSObj = nullptr;
   }
 }
 static bool
 GetProperty(JSContext *cx, JSObject *objArg, NPIdentifier npid, JS::MutableHandle<JS::Value> rval)
 {
   NS_ASSERTION(NPIdentifierIsInt(npid) || NPIdentifierIsString(npid),
                "id must be either string or int!\n");
   JS::Rooted<JSObject *> obj(cx, objArg);
   JS::Rooted<jsid> id(cx, NPIdentifierToJSId(npid));
   return ::JS_GetPropertyById(cx, obj, id, rval);
 }
 // static
 bool
 nsJSObjWrapper::NP_HasMethod(NPObject *npobj, NPIdentifier id)
 {
   NPP npp = NPPStack::Peek();
   JSContext *cx = GetJSContext(npp);
   if (!cx) {
     return false;
   }
   if (!npobj) {
     ThrowJSException(cx,
                      "Null npobj in nsJSObjWrapper::NP_HasMethod!");
     return false;
   }
   nsJSObjWrapper *npjsobj = (nsJSObjWrapper *)npobj;
   nsCxPusher pusher;
   pusher.Push(cx);
   JSAutoCompartment ac(cx, npjsobj->mJSObj);
   AutoJSExceptionReporter reporter(cx);
   JS::Rooted<JS::Value> v(cx);
   bool ok = GetProperty(cx, npjsobj->mJSObj, id, &v);
   return ok && !JSVAL_IS_PRIMITIVE(v) &&
     ::JS_ObjectIsFunction(cx, JSVAL_TO_OBJECT(v));
 }
 static bool
 doInvoke(NPObject *npobj, NPIdentifier method, const NPVariant *args,
          uint32_t argCount, bool ctorCall, NPVariant *result)
 {
   NPP npp = NPPStack::Peek();
   JSContext *cx = GetJSContext(npp);
   if (!cx) {
     return false;
   }
   if (!npobj || !result) {
     ThrowJSException(cx, "Null npobj, or result in doInvoke!");
     return false;
   }
   // Initialize *result
   VOID_TO_NPVARIANT(*result);
   nsJSObjWrapper *npjsobj = (nsJSObjWrapper *)npobj;
   nsCxPusher pusher;
   pusher.Push(cx);
   JS::Rooted<JSObject*> jsobj(cx, npjsobj->mJSObj);
   JSAutoCompartment ac(cx, jsobj);
   JS::Rooted<JS::Value> fv(cx);
   AutoJSExceptionReporter reporter(cx);
   if (method != NPIdentifier_VOID) {
     if (!GetProperty(cx, jsobj, method, &fv) ||
         ::JS_TypeOfValue(cx, fv) != JSTYPE_FUNCTION) {
       return false;
     }
   } else {
     fv.setObject(*jsobj);
   }
   // Convert args
   JS::AutoValueVector jsargs(cx);
   if (!jsargs.reserve(argCount)) {
       ::JS_ReportOutOfMemory(cx);
       return false;
   }
   for (uint32_t i = 0; i < argCount; ++i) {
     jsargs.infallibleAppend(NPVariantToJSVal(npp, cx, args + i));
   }
   JS::Rooted<JS::Value> v(cx);
   bool ok = false;
   if (ctorCall) {
     JSObject *newObj =
       ::JS_New(cx, jsobj, jsargs);
     if (newObj) {
       v.setObject(*newObj);
       ok = true;
     }
   } else {
     ok = ::JS_CallFunctionValue(cx, jsobj, fv, jsargs, &v);
   }
   if (ok)
     ok = JSValToNPVariant(npp, cx, v, result);
   return ok;
 }
 // static
 bool
 nsJSObjWrapper::NP_Invoke(NPObject *npobj, NPIdentifier method,
                           const NPVariant *args, uint32_t argCount,
                           NPVariant *result)
 {
   if (method == NPIdentifier_VOID) {
     return false;
   }
   return doInvoke(npobj, method, args, argCount, false, result);
 }
 // static
 bool
 nsJSObjWrapper::NP_InvokeDefault(NPObject *npobj, const NPVariant *args,
                                  uint32_t argCount, NPVariant *result)
 {
   return doInvoke(npobj, NPIdentifier_VOID, args, argCount, false,
                   result);
 }
 // static
 bool
 nsJSObjWrapper::NP_HasProperty(NPObject *npobj, NPIdentifier npid)
 {
   NPP npp = NPPStack::Peek();
   JSContext *cx = GetJSContext(npp);
   if (!cx) {
     return false;
   }
   if (!npobj) {
     ThrowJSException(cx,
                      "Null npobj in nsJSObjWrapper::NP_HasProperty!");
     return false;
   }
   nsJSObjWrapper *npjsobj = (nsJSObjWrapper *)npobj;
   bool found, ok = false;
   nsCxPusher pusher;
   pusher.Push(cx);
   AutoJSExceptionReporter reporter(cx);
   JS::Rooted<JSObject*> jsobj(cx, npjsobj->mJSObj);
   JSAutoCompartment ac(cx, jsobj);
   NS_ASSERTION(NPIdentifierIsInt(npid) || NPIdentifierIsString(npid),
                "id must be either string or int!\n");
   JS::Rooted<jsid> id(cx, NPIdentifierToJSId(npid));
   ok = ::JS_HasPropertyById(cx, jsobj, id, &found);
   return ok && found;
 }
 // static
 bool
 nsJSObjWrapper::NP_GetProperty(NPObject *npobj, NPIdentifier id,
                                NPVariant *result)
 {
   NPP npp = NPPStack::Peek();
   JSContext *cx = GetJSContext(npp);
   if (!cx) {
     return false;
   }
   if (!npobj) {
     ThrowJSException(cx,
                      "Null npobj in nsJSObjWrapper::NP_GetProperty!");
     return false;
   }
   nsJSObjWrapper *npjsobj = (nsJSObjWrapper *)npobj;
   nsCxPusher pusher;
   pusher.Push(cx);
   AutoJSExceptionReporter reporter(cx);
   JSAutoCompartment ac(cx, npjsobj->mJSObj);
   JS::Rooted<JS::Value> v(cx);
   return (GetProperty(cx, npjsobj->mJSObj, id, &v) &&
           JSValToNPVariant(npp, cx, v, result));
 }
 // static
 bool
 nsJSObjWrapper::NP_SetProperty(NPObject *npobj, NPIdentifier npid,
                                const NPVariant *value)
 {
   NPP npp = NPPStack::Peek();
   JSContext *cx = GetJSContext(npp);
   if (!cx) {
     return false;
   }
   if (!npobj) {
     ThrowJSException(cx,
                      "Null npobj in nsJSObjWrapper::NP_SetProperty!");
     return false;
   }
   nsJSObjWrapper *npjsobj = (nsJSObjWrapper *)npobj;
   bool ok = false;
   nsCxPusher pusher;
   pusher.Push(cx);
   AutoJSExceptionReporter reporter(cx);
   JS::Rooted<JSObject*> jsObj(cx, npjsobj->mJSObj);
   JSAutoCompartment ac(cx, jsObj);
   JS::Rooted<JS::Value> v(cx, NPVariantToJSVal(npp, cx, value));
   NS_ASSERTION(NPIdentifierIsInt(npid) || NPIdentifierIsString(npid),
                "id must be either string or int!\n");
   JS::Rooted<jsid> id(cx, NPIdentifierToJSId(npid));
   ok = ::JS_SetPropertyById(cx, jsObj, id, v);
   return ok;
 }
 // static
 bool
 nsJSObjWrapper::NP_RemoveProperty(NPObject *npobj, NPIdentifier npid)
 {
   NPP npp = NPPStack::Peek();
   JSContext *cx = GetJSContext(npp);
   if (!cx) {
     return false;
   }
   if (!npobj) {
     ThrowJSException(cx,
                      "Null npobj in nsJSObjWrapper::NP_RemoveProperty!");
     return false;
   }
   nsJSObjWrapper *npjsobj = (nsJSObjWrapper *)npobj;
   bool ok = false;
   nsCxPusher pusher;
   pusher.Push(cx);
   AutoJSExceptionReporter reporter(cx);
   bool deleted = false;
   JS::Rooted<JSObject*> obj(cx, npjsobj->mJSObj);
   JSAutoCompartment ac(cx, obj);
   NS_ASSERTION(NPIdentifierIsInt(npid) || NPIdentifierIsString(npid),
                "id must be either string or int!\n");
   JS::Rooted<jsid> id(cx, NPIdentifierToJSId(npid));
   ok = ::JS_DeletePropertyById2(cx, obj, id, &deleted);
   if (ok && deleted) {
     // FIXME: See bug 425823, we shouldn't need to do this, and once
     // that bug is fixed we can remove this code.
     bool hasProp;
     ok = ::JS_HasPropertyById(cx, obj, id, &hasProp);
     if (ok && hasProp) {
       // The property might have been deleted, but it got
       // re-resolved, so no, it's not really deleted.
       deleted = false;
     }
   }
   return ok && deleted;
 }
 //static
 bool
 nsJSObjWrapper::NP_Enumerate(NPObject *npobj, NPIdentifier **idarray,
                              uint32_t *count)
 {
   NPP npp = NPPStack::Peek();
   JSContext *cx = GetJSContext(npp);
   *idarray = 0;
   *count = 0;
   if (!cx) {
     return false;
   }
   if (!npobj) {
     ThrowJSException(cx,
                      "Null npobj in nsJSObjWrapper::NP_Enumerate!");
     return false;
   }
   nsJSObjWrapper *npjsobj = (nsJSObjWrapper *)npobj;
   nsCxPusher pusher;
   pusher.Push(cx);
   AutoJSExceptionReporter reporter(cx);
   JS::Rooted<JSObject*> jsobj(cx, npjsobj->mJSObj);
   JSAutoCompartment ac(cx, jsobj);
   JS::AutoIdArray ida(cx, JS_Enumerate(cx, jsobj));
   if (!ida) {
     return false;
   }
   *count = ida.length();
   *idarray = (NPIdentifier *)PR_Malloc(*count * sizeof(NPIdentifier));
   if (!*idarray) {
     ThrowJSException(cx, "Memory allocation failed for NPIdentifier!");
     return false;
   }
   for (uint32_t i = 0; i < *count; i++) {
     JS::Rooted<JS::Value> v(cx);
     if (!JS_IdToValue(cx, ida[i], &v)) {
       PR_Free(*idarray);
       return false;
     }
     NPIdentifier id;
     if (v.isString()) {
       JS::Rooted<JSString*> str(cx, v.toString());
       str = JS_InternJSString(cx, str);
       if (!str) {
         PR_Free(*idarray);
         return false;
       }
       id = StringToNPIdentifier(cx, str);
     } else {
       NS_ASSERTION(JSVAL_IS_INT(v),
                    "The element in ida must be either string or int!\n");
       id = IntToNPIdentifier(JSVAL_TO_INT(v));
     }
     (*idarray)[i] = id;
   }
   return true;
 }
 //static
 bool
 nsJSObjWrapper::NP_Construct(NPObject *npobj, const NPVariant *args,
                              uint32_t argCount, NPVariant *result)
 {
   return doInvoke(npobj, NPIdentifier_VOID, args, argCount, true, result);
 }
 /*
  * This function is called during minor GCs for each key in the sJSObjWrappers
  * table that has been moved.
  *
  * Note that the wrapper may be dead at this point, and even the table may have
  * been finalized if all wrappers have died.
  */
 static void
 JSObjWrapperKeyMarkCallback(JSTracer *trc, JSObject *obj, void *data) {
   NPP npp = static_cast<NPP>(data);
   MOZ_ASSERT(sJSObjWrappersAccessible);
   if (!sJSObjWrappers.initialized())
     return;
   JSObject *prior = obj;
   nsJSObjWrapperKey oldKey(prior, npp);
   JSObjWrapperTable::Ptr p = sJSObjWrappers.lookup(oldKey);
   if (!p)
     return;
   JS_CallObjectTracer(trc, &obj, "sJSObjWrappers key object");
   nsJSObjWrapperKey newKey(obj, npp);
   sJSObjWrappers.rekeyIfMoved(oldKey, newKey);
 }
 // Look up or create an NPObject that wraps the JSObject obj.
 // static
 NPObject *
 nsJSObjWrapper::GetNewOrUsed(NPP npp, JSContext *cx, JS::Handle<JSObject*> obj)
 {
   if (!npp) {
     NS_ERROR("Null NPP passed to nsJSObjWrapper::GetNewOrUsed()!");
     return nullptr;
   }
   if (!cx) {
     cx = GetJSContext(npp);
     if (!cx) {
       NS_ERROR("Unable to find a JSContext in nsJSObjWrapper::GetNewOrUsed()!");
       return nullptr;
     }
   }
   // No need to enter the right compartment here as we only get the
   // class and private from the JSObject, neither of which cares about
   // compartments.
   const JSClass *clazz = JS_GetClass(obj);
   if (clazz == &sNPObjectJSWrapperClass) {
     // obj is one of our own, its private data is the NPObject we're
     // looking for.
     NPObject *npobj = (NPObject *)::JS_GetPrivate(obj);
     // If the private is null, that means that the object has already been torn
     // down, possible because the owning plugin was destroyed (there can be
     // multiple plugins, so the fact that it was destroyed does not prevent one
     // of its dead JS objects from being passed to another plugin). There's not
     // much use in wrapping such a dead object, so we just return null, causing
     // us to throw.
     if (!npobj)
       return nullptr;
     if (LookupNPP(npobj) == npp)
       return _retainobject(npobj);
   }
   if (!sJSObjWrappers.initialized()) {
     // No hash yet (or any more), initialize it.
     if (!sJSObjWrappers.init(16)) {
       NS_ERROR("Error initializing PLDHashTable!");
       return nullptr;
     }
     sJSObjWrappersAccessible = true;
   }
   MOZ_ASSERT(sJSObjWrappersAccessible);
   JSObjWrapperTable::Ptr p = sJSObjWrappers.lookupForAdd(nsJSObjWrapperKey(obj, npp));
   if (p) {
     MOZ_ASSERT(p->value());
     // Found a live nsJSObjWrapper, return it.
     return _retainobject(p->value());
   }
   // No existing nsJSObjWrapper, create one.
   nsJSObjWrapper *wrapper =
     (nsJSObjWrapper *)_createobject(npp, &sJSObjWrapperNPClass);
   if (!wrapper) {
     // Out of memory, entry not yet added to table.
     return nullptr;
   }
   // Assign mJSObj, rooting the JSObject. Its lifetime is now tied to that of
   // the NPObject.
   wrapper->mJSObj = obj;
   nsJSObjWrapperKey key(obj, npp);
   if (!sJSObjWrappers.putNew(key, wrapper)) {
     // Out of memory, free the wrapper we created.
     _releaseobject(wrapper);
     return nullptr;
   }
   // Add postbarrier for the hashtable key
   JS_StoreObjectPostBarrierCallback(cx, JSObjWrapperKeyMarkCallback, obj, wrapper->mNpp);
   return wrapper;
 }
 // Climb the prototype chain, unwrapping as necessary until we find an NP object
 // wrapper.
 //
 // Because this function unwraps, its return value must be wrapped for the cx
 // compartment for callers that plan to hold onto the result or do anything
 // substantial with it.
 static JSObject *
 GetNPObjectWrapper(JSContext *cx, JSObject *aObj, bool wrapResult = true)
 {
   JS::Rooted<JSObject*> obj(cx, aObj);
   while (obj && (obj = js::CheckedUnwrap(obj))) {
     if (JS_GetClass(obj) == &sNPObjectJSWrapperClass) {
       if (wrapResult && !JS_WrapObject(cx, &obj)) {
         return nullptr;
       }
       return obj;
     }
     if (!::JS_GetPrototype(cx, obj, &obj)) {
       return nullptr;
     }
   }
   return nullptr;
 }
 static NPObject *
 GetNPObject(JSContext *cx, JSObject *obj)
 {
   obj = GetNPObjectWrapper(cx, obj, /* wrapResult = */ false);
   if (!obj) {
     return nullptr;
   }
   return (NPObject *)::JS_GetPrivate(obj);
 }
 // Does not actually add a property because this is always followed by a
 // SetProperty call.
 static bool
 NPObjWrapper_AddProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)
 {
   NPObject *npobj = GetNPObject(cx, obj);
   if (!npobj || !npobj->_class || !npobj->_class->hasProperty ||
       !npobj->_class->hasMethod) {
     ThrowJSException(cx, "Bad NPObject as private data!");
     return false;
   }
   if (NPObjectIsOutOfProcessProxy(npobj)) {
     return true;
   }
   PluginDestructionGuard pdg(LookupNPP(npobj));
   NPIdentifier identifier = JSIdToNPIdentifier(id);
   bool hasProperty = npobj->_class->hasProperty(npobj, identifier);
   if (!ReportExceptionIfPending(cx))
     return false;
   if (hasProperty)
     return true;
   // We must permit methods here since JS_DefineUCFunction() will add
   // the function as a property
   bool hasMethod = npobj->_class->hasMethod(npobj, identifier);
   if (!ReportExceptionIfPending(cx))
     return false;
   if (!hasMethod) {
     ThrowJSException(cx, "Trying to add unsupported property on NPObject!");
     return false;
   }
   return true;
 }
 static bool
 NPObjWrapper_DelProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, bool *succeeded)
 {
   NPObject *npobj = GetNPObject(cx, obj);
   if (!npobj || !npobj->_class || !npobj->_class->hasProperty ||
       !npobj->_class->removeProperty) {
     ThrowJSException(cx, "Bad NPObject as private data!");
     return false;
   }
   PluginDestructionGuard pdg(LookupNPP(npobj));
   NPIdentifier identifier = JSIdToNPIdentifier(id);
   if (!NPObjectIsOutOfProcessProxy(npobj)) {
     bool hasProperty = npobj->_class->hasProperty(npobj, identifier);
     if (!ReportExceptionIfPending(cx))
       return false;
     if (!hasProperty) {
       *succeeded = true;
       return true;
     }
   }
   if (!npobj->_class->removeProperty(npobj, identifier))
     *succeeded = false;
   return ReportExceptionIfPending(cx);
 }
 static bool
 NPObjWrapper_SetProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, bool strict,
                          JS::MutableHandle<JS::Value> vp)
 {
   NPObject *npobj = GetNPObject(cx, obj);
   if (!npobj || !npobj->_class || !npobj->_class->hasProperty ||
       !npobj->_class->setProperty) {
     ThrowJSException(cx, "Bad NPObject as private data!");
     return false;
   }
   // Find out what plugin (NPP) is the owner of the object we're
   // manipulating, and make it own any JSObject wrappers created here.
   NPP npp = LookupNPP(npobj);
   if (!npp) {
     ThrowJSException(cx, "No NPP found for NPObject!");
     return false;
   }
   PluginDestructionGuard pdg(npp);
   NPIdentifier identifier = JSIdToNPIdentifier(id);
   if (!NPObjectIsOutOfProcessProxy(npobj)) {
     bool hasProperty = npobj->_class->hasProperty(npobj, identifier);
     if (!ReportExceptionIfPending(cx))
       return false;
     if (!hasProperty) {
       ThrowJSException(cx, "Trying to set unsupported property on NPObject!");
       return false;
     }
   }
   NPVariant npv;
   if (!JSValToNPVariant(npp, cx, vp, &npv)) {
     ThrowJSException(cx, "Error converting jsval to NPVariant!");
     return false;
   }
   bool ok = npobj->_class->setProperty(npobj, identifier, &npv);
   _releasevariantvalue(&npv); // Release the variant
   if (!ReportExceptionIfPending(cx))
     return false;
   if (!ok) {
     ThrowJSException(cx, "Error setting property on NPObject!");
     return false;
   }
   return true;
 }
 static bool
 NPObjWrapper_GetProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)
 {
   NPObject *npobj = GetNPObject(cx, obj);
   if (!npobj || !npobj->_class || !npobj->_class->hasProperty ||
       !npobj->_class->hasMethod || !npobj->_class->getProperty) {
     ThrowJSException(cx, "Bad NPObject as private data!");
     return false;
   }
   // Find out what plugin (NPP) is the owner of the object we're
   // manipulating, and make it own any JSObject wrappers created here.
   NPP npp = LookupNPP(npobj);
   if (!npp) {
     ThrowJSException(cx, "No NPP found for NPObject!");
     return false;
   }
   PluginDestructionGuard pdg(npp);
   bool hasProperty, hasMethod;
   NPVariant npv;
   VOID_TO_NPVARIANT(npv);
   NPIdentifier identifier = JSIdToNPIdentifier(id);
   if (NPObjectIsOutOfProcessProxy(npobj)) {
     PluginScriptableObjectParent* actor =
       static_cast<ParentNPObject*>(npobj)->parent;
     // actor may be null if the plugin crashed.
     if (!actor)
       return false;
     bool success = actor->GetPropertyHelper(identifier, &hasProperty,
                                             &hasMethod, &npv);
     if (!ReportExceptionIfPending(cx)) {
       if (success)
         _releasevariantvalue(&npv);
       return false;
     }
     if (success) {
       // We return NPObject Member class here to support ambiguous members.
       if (hasProperty && hasMethod)
         return CreateNPObjectMember(npp, cx, obj, npobj, id, &npv, vp);
       if (hasProperty) {
         vp.set(NPVariantToJSVal(npp, cx, &npv));
         _releasevariantvalue(&npv);
         if (!ReportExceptionIfPending(cx))
           return false;
       }
     }
     return true;
   }
   hasProperty = npobj->_class->hasProperty(npobj, identifier);
   if (!ReportExceptionIfPending(cx))
     return false;
   hasMethod = npobj->_class->hasMethod(npobj, identifier);
   if (!ReportExceptionIfPending(cx))
     return false;
   // We return NPObject Member class here to support ambiguous members.
   if (hasProperty && hasMethod)
     return CreateNPObjectMember(npp, cx, obj, npobj, id, nullptr, vp);
   if (hasProperty) {
     if (npobj->_class->getProperty(npobj, identifier, &npv))
       vp.set(NPVariantToJSVal(npp, cx, &npv));
     _releasevariantvalue(&npv);
     if (!ReportExceptionIfPending(cx))
       return false;
   }
   return true;
 }
 static bool
 CallNPMethodInternal(JSContext *cx, JS::Handle<JSObject*> obj, unsigned argc,
                      JS::Value *argv, JS::Value *rval, bool ctorCall)
 {
   NPObject *npobj = GetNPObject(cx, obj);
   if (!npobj || !npobj->_class) {
     ThrowJSException(cx, "Bad NPObject as private data!");
     return false;
   }
   // Find out what plugin (NPP) is the owner of the object we're
   // manipulating, and make it own any JSObject wrappers created here.
   NPP npp = LookupNPP(npobj);
   if (!npp) {
     ThrowJSException(cx, "Error finding NPP for NPObject!");
     return false;
   }
   PluginDestructionGuard pdg(npp);
   NPVariant npargs_buf[8];
   NPVariant *npargs = npargs_buf;
   if (argc > (sizeof(npargs_buf) / sizeof(NPVariant))) {
     // Our stack buffer isn't large enough to hold all arguments,
     // malloc a buffer.
     npargs = (NPVariant *)PR_Malloc(argc * sizeof(NPVariant));
     if (!npargs) {
       ThrowJSException(cx, "Out of memory!");
       return false;
     }
   }
   // Convert arguments
   uint32_t i;
   for (i = 0; i < argc; ++i) {
     if (!JSValToNPVariant(npp, cx, argv[i], npargs + i)) {
       ThrowJSException(cx, "Error converting jsvals to NPVariants!");
       if (npargs != npargs_buf) {
         PR_Free(npargs);
       }
       return false;
     }
   }
   NPVariant v;
   VOID_TO_NPVARIANT(v);
   JSObject *funobj = JSVAL_TO_OBJECT(argv[-2]);
   bool ok;
   const char *msg = "Error calling method on NPObject!";
   if (ctorCall) {
     // construct a new NPObject based on the NPClass in npobj. Fail if
     // no construct method is available.
     if (NP_CLASS_STRUCT_VERSION_HAS_CTOR(npobj->_class) &&
         npobj->_class->construct) {
       ok = npobj->_class->construct(npobj, npargs, argc, &v);
     } else {
       ok = false;
       msg = "Attempt to construct object from class with no constructor.";
     }
   } else if (funobj != obj) {
     // A obj.function() style call is made, get the method name from
     // the function object.
     if (npobj->_class->invoke) {
       JSFunction *fun = ::JS_GetObjectFunction(funobj);
       JS::Rooted<JSString*> funId(cx, ::JS_GetFunctionId(fun));
       JSString *name = ::JS_InternJSString(cx, funId);
       NPIdentifier id = StringToNPIdentifier(cx, name);
       ok = npobj->_class->invoke(npobj, id, npargs, argc, &v);
     } else {
       ok = false;
       msg = "Attempt to call a method on object with no invoke method.";
     }
   } else {
     if (npobj->_class->invokeDefault) {
       // obj is a callable object that is being called, no method name
       // available then. Invoke the default method.
       ok = npobj->_class->invokeDefault(npobj, npargs, argc, &v);
     } else {
       ok = false;
       msg = "Attempt to call a default method on object with no "
         "invokeDefault method.";
     }
   }
   // Release arguments.
   for (i = 0; i < argc; ++i) {
     _releasevariantvalue(npargs + i);
   }
   if (npargs != npargs_buf) {
     PR_Free(npargs);
   }
   if (!ok) {
     // ReportExceptionIfPending returns a return value, which is true
     // if no exception was thrown. In that case, throw our own.
     if (ReportExceptionIfPending(cx))
       ThrowJSException(cx, msg);
     return false;
   }
   *rval = NPVariantToJSVal(npp, cx, &v);
   // *rval now owns the value, release our reference.
   _releasevariantvalue(&v);
   return ReportExceptionIfPending(cx);
 }
 static bool
 CallNPMethod(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   JS::Rooted<JSObject*> obj(cx, JS_THIS_OBJECT(cx, vp));
   if (!obj)
       return false;
   return CallNPMethodInternal(cx, obj, args.length(), args.array(), vp, false);
 }
 struct NPObjectEnumerateState {
   uint32_t     index;
   uint32_t     length;
   NPIdentifier *value;
 };
 static bool
 NPObjWrapper_newEnumerate(JSContext *cx, JS::Handle<JSObject*> obj, JSIterateOp enum_op,
                           JS::Value *statep, jsid *idp)
 {
   NPObject *npobj = GetNPObject(cx, obj);
   NPIdentifier *enum_value;
   uint32_t length;
   NPObjectEnumerateState *state;
   if (!npobj || !npobj->_class) {
     ThrowJSException(cx, "Bad NPObject as private data!");
     return false;
   }
   PluginDestructionGuard pdg(LookupNPP(npobj));
   NS_ASSERTION(statep, "Must have a statep to enumerate!");
   switch(enum_op) {
   case JSENUMERATE_INIT:
   case JSENUMERATE_INIT_ALL:
     state = new NPObjectEnumerateState();
     if (!state) {
       ThrowJSException(cx, "Memory allocation failed for "
                        "NPObjectEnumerateState!");
       return false;
     }
     if (!NP_CLASS_STRUCT_VERSION_HAS_ENUM(npobj->_class) ||
         !npobj->_class->enumerate) {
       enum_value = 0;
       length = 0;
     } else if (!npobj->_class->enumerate(npobj, &enum_value, &length)) {
       delete state;
       if (ReportExceptionIfPending(cx)) {
         // ReportExceptionIfPending returns a return value, which is true
         // if no exception was thrown. In that case, throw our own.
         ThrowJSException(cx, "Error enumerating properties on scriptable "
                              "plugin object");
       }
       return false;
     }
     state->value = enum_value;
     state->length = length;
     state->index = 0;
     *statep = PRIVATE_TO_JSVAL(state);
     if (idp) {
       *idp = INT_TO_JSID(length);
     }
     break;
   case JSENUMERATE_NEXT:
     state = (NPObjectEnumerateState *)JSVAL_TO_PRIVATE(*statep);
     enum_value = state->value;
     length = state->length;
     if (state->index != length) {
       *idp = NPIdentifierToJSId(enum_value[state->index++]);
       return true;
     }
     // FALL THROUGH
   case JSENUMERATE_DESTROY:
     state = (NPObjectEnumerateState *)JSVAL_TO_PRIVATE(*statep);
     if (state->value)
       PR_Free(state->value);
     delete state;
     *statep = JSVAL_NULL;
     break;
   }
   return true;
 }
 static bool
 NPObjWrapper_NewResolve(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id,
                         JS::MutableHandle<JSObject*> objp)
 {
   NPObject *npobj = GetNPObject(cx, obj);
   if (!npobj || !npobj->_class || !npobj->_class->hasProperty ||
       !npobj->_class->hasMethod) {
     ThrowJSException(cx, "Bad NPObject as private data!");
     return false;
   }
   PluginDestructionGuard pdg(LookupNPP(npobj));
   NPIdentifier identifier = JSIdToNPIdentifier(id);
   bool hasProperty = npobj->_class->hasProperty(npobj, identifier);
   if (!ReportExceptionIfPending(cx))
     return false;
   if (hasProperty) {
     NS_ASSERTION(JSID_IS_STRING(id) || JSID_IS_INT(id),
                  "id must be either string or int!\n");
     if (!::JS_DefinePropertyById(cx, obj, id, JSVAL_VOID, nullptr,
                                  nullptr, JSPROP_ENUMERATE | JSPROP_SHARED)) {
         return false;
     }
     objp.set(obj);
     return true;
   }
   bool hasMethod = npobj->_class->hasMethod(npobj, identifier);
   if (!ReportExceptionIfPending(cx))
     return false;
   if (hasMethod) {
     NS_ASSERTION(JSID_IS_STRING(id) || JSID_IS_INT(id),
                  "id must be either string or int!\n");
     JSFunction *fnc = ::JS_DefineFunctionById(cx, obj, id, CallNPMethod, 0,
                                               JSPROP_ENUMERATE);
     objp.set(obj);
     return fnc != nullptr;
   }
   // no property or method
   return true;
 }
 static bool
 NPObjWrapper_Convert(JSContext *cx, JS::Handle<JSObject*> obj, JSType hint, JS::MutableHandle<JS::Value> vp)
 {
   MOZ_ASSERT(hint == JSTYPE_NUMBER || hint == JSTYPE_STRING || hint == JSTYPE_VOID);
   // Plugins do not simply use JS_ConvertStub, and the default [[DefaultValue]]
   // behavior, because that behavior involves calling toString or valueOf on
   // objects which weren't designed to accommodate this.  Usually this wouldn't
   // be a problem, because the absence of either property, or the presence of
   // either property with a value that isn't callable, will cause that property
   // to simply be ignored.  But there is a problem in one specific case: Java,
   // specifically java.lang.Integer.  The Integer class has static valueOf
   // methods, none of which are nullary, so the JS-reflected method will behave
   // poorly when called with no arguments.  We work around this problem by
   // giving plugins a [[DefaultValue]] which uses only toString and not valueOf.
   JS::Rooted<JS::Value> v(cx, JSVAL_VOID);
   if (!JS_GetProperty(cx, obj, "toString", &v))
     return false;
   if (!JSVAL_IS_PRIMITIVE(v) && JS_ObjectIsCallable(cx, JSVAL_TO_OBJECT(v))) {
     if (!JS_CallFunctionValue(cx, obj, v, JS::HandleValueArray::empty(), vp))
       return false;
     if (JSVAL_IS_PRIMITIVE(vp))
       return true;
   }
   JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_CANT_CONVERT_TO,
                        JS_GetClass(obj)->name,
                        hint == JSTYPE_VOID
                        ? "primitive type"
                        : hint == JSTYPE_NUMBER
                        ? "number"
                        : "string");
   return false;
 }
 static void
 NPObjWrapper_Finalize(JSFreeOp *fop, JSObject *obj)
 {
   NPObject *npobj = (NPObject *)::JS_GetPrivate(obj);
   if (npobj) {
     if (sNPObjWrappers.ops) {
       PL_DHashTableOperate(&sNPObjWrappers, npobj, PL_DHASH_REMOVE);
     }
   }
   if (!sDelayedReleases)
     sDelayedReleases = new nsTArray<NPObject*>;
   sDelayedReleases->AppendElement(npobj);
 }
 static bool
 NPObjWrapper_Call(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   JS::Rooted<JSObject*> obj(cx, &args.callee());
   return CallNPMethodInternal(cx, obj, args.length(), args.array(), vp, false);
 }
 static bool
 NPObjWrapper_Construct(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   JS::Rooted<JSObject*> obj(cx, &args.callee());
   return CallNPMethodInternal(cx, obj, args.length(), args.array(), vp, true);
 }
 class NPObjWrapperHashEntry : public PLDHashEntryHdr
 {
 public:
   NPObject *mNPObj; // Must be the first member for the PLDHash stubs to work
   JSObject *mJSObj;
   NPP mNpp;
 };
 // An NPObject is going away, make sure we null out the JS object's
 // private data in case this is an NPObject that came from a plugin
 // and it's destroyed prematurely.
 // static
 void
 nsNPObjWrapper::OnDestroy(NPObject *npobj)
 {
   if (!npobj) {
     return;
   }
   if (npobj->_class == &nsJSObjWrapper::sJSObjWrapperNPClass) {
     // npobj is one of our own, no private data to clean up here.
     return;
   }
   if (!sNPObjWrappers.ops) {
     // No hash yet (or any more), no used wrappers available.
     return;
   }
   NPObjWrapperHashEntry *entry = static_cast<NPObjWrapperHashEntry *>
     (PL_DHashTableOperate(&sNPObjWrappers, npobj, PL_DHASH_LOOKUP));
   if (PL_DHASH_ENTRY_IS_BUSY(entry) && entry->mJSObj) {
     // Found a live NPObject wrapper, null out its JSObjects' private
     // data.
     ::JS_SetPrivate(entry->mJSObj, nullptr);
     // Remove the npobj from the hash now that it went away.
     PL_DHashTableRawRemove(&sNPObjWrappers, entry);
     // The finalize hook will call OnWrapperDestroyed().
   }
 }
 // Look up or create a JSObject that wraps the NPObject npobj.
 // static
 JSObject *
 nsNPObjWrapper::GetNewOrUsed(NPP npp, JSContext *cx, NPObject *npobj)
 {
   if (!npobj) {
     NS_ERROR("Null NPObject passed to nsNPObjWrapper::GetNewOrUsed()!");
     return nullptr;
   }
   if (npobj->_class == &nsJSObjWrapper::sJSObjWrapperNPClass) {
     // npobj is one of our own, return its existing JSObject.
     JS::Rooted<JSObject*> obj(cx, ((nsJSObjWrapper *)npobj)->mJSObj);
     if (!JS_WrapObject(cx, &obj)) {
       return nullptr;
     }
     return obj;
   }
   if (!npp) {
     NS_ERROR("No npp passed to nsNPObjWrapper::GetNewOrUsed()!");
     return nullptr;
   }
   if (!sNPObjWrappers.ops) {
     // No hash yet (or any more), initialize it.
     PL_DHashTableInit(&sNPObjWrappers, PL_DHashGetStubOps(), nullptr,
                       sizeof(NPObjWrapperHashEntry), 16);
   }
   NPObjWrapperHashEntry *entry = static_cast<NPObjWrapperHashEntry *>
     (PL_DHashTableOperate(&sNPObjWrappers, npobj, PL_DHASH_ADD));
   if (!entry) {
     // Out of memory
     JS_ReportOutOfMemory(cx);
     return nullptr;
   }
   if (PL_DHASH_ENTRY_IS_BUSY(entry) && entry->mJSObj) {
     // Found a live NPObject wrapper. It may not be in the same compartment
     // as cx, so we need to wrap it before returning it.
     JS::Rooted<JSObject*> obj(cx, entry->mJSObj);
     if (!JS_WrapObject(cx, &obj)) {
       return nullptr;
     }
     return obj;
   }
   entry->mNPObj = npobj;
   entry->mNpp = npp;
   uint32_t generation = sNPObjWrappers.generation;
   // No existing JSObject, create one.
   JS::Rooted<JSObject*> obj(cx, ::JS_NewObject(cx, &sNPObjectJSWrapperClass, JS::NullPtr(),
                                                JS::NullPtr()));
   if (generation != sNPObjWrappers.generation) {
       // Reload entry if the JS_NewObject call caused a GC and reallocated
       // the table (see bug 445229). This is guaranteed to succeed.
       entry = static_cast<NPObjWrapperHashEntry *>
         (PL_DHashTableOperate(&sNPObjWrappers, npobj, PL_DHASH_LOOKUP));
       NS_ASSERTION(entry && PL_DHASH_ENTRY_IS_BUSY(entry),
                    "Hashtable didn't find what we just added?");
   }
   if (!obj) {
     // OOM? Remove the stale entry from the hash.
     PL_DHashTableRawRemove(&sNPObjWrappers, entry);
     return nullptr;
   }
   OnWrapperCreated();
   entry->mJSObj = obj;
   ::JS_SetPrivate(obj, npobj);
   // The new JSObject now holds on to npobj
   _retainobject(npobj);
   return obj;
 }
 // Struct for passing an NPP and a JSContext to
 // NPObjWrapperPluginDestroyedCallback
 struct NppAndCx
 {
   NPP npp;
   JSContext *cx;
 };
 static PLDHashOperator
 NPObjWrapperPluginDestroyedCallback(PLDHashTable *table, PLDHashEntryHdr *hdr,
                                     uint32_t number, void *arg)
 {
   NPObjWrapperHashEntry *entry = (NPObjWrapperHashEntry *)hdr;
   NppAndCx *nppcx = reinterpret_cast<NppAndCx *>(arg);
   if (entry->mNpp == nppcx->npp) {
     // Prevent invalidate() and deallocate() from touching the hash
     // we're enumerating.
     const PLDHashTableOps *ops = table->ops;
     table->ops = nullptr;
     NPObject *npobj = entry->mNPObj;
     if (npobj->_class && npobj->_class->invalidate) {
       npobj->_class->invalidate(npobj);
     }
 #ifdef NS_BUILD_REFCNT_LOGGING
     {
       int32_t refCnt = npobj->referenceCount;
       while (refCnt) {
         --refCnt;
         NS_LOG_RELEASE(npobj, refCnt, "BrowserNPObject");
       }
     }
 #endif
     // Force deallocation of plugin objects since the plugin they came
     // from is being torn down.
     if (npobj->_class && npobj->_class->deallocate) {
       npobj->_class->deallocate(npobj);
     } else {
       PR_Free(npobj);
     }
     ::JS_SetPrivate(entry->mJSObj, nullptr);
     table->ops = ops;
     if (sDelayedReleases && sDelayedReleases->RemoveElement(npobj)) {
       OnWrapperDestroyed();
     }
     return PL_DHASH_REMOVE;
   }
   return PL_DHASH_NEXT;
 }
 // static
 void
 nsJSNPRuntime::OnPluginDestroy(NPP npp)
 {
   if (sJSObjWrappersAccessible) {
     // Prevent modification of sJSObjWrappers table if we go reentrant.
     sJSObjWrappersAccessible = false;
     for (JSObjWrapperTable::Enum e(sJSObjWrappers); !e.empty(); e.popFront()) {
       nsJSObjWrapper *npobj = e.front().value();
       MOZ_ASSERT(npobj->_class == &nsJSObjWrapper::sJSObjWrapperNPClass);
       if (npobj->mNpp == npp) {
         if (npobj->_class && npobj->_class->invalidate) {
           npobj->_class->invalidate(npobj);
         }
         _releaseobject(npobj);
         e.removeFront();
       }
     }
     sJSObjWrappersAccessible = true;
   }
   // Use the safe JSContext here as we're not always able to find the
   // JSContext associated with the NPP any more.
   AutoSafeJSContext cx;
   if (sNPObjWrappers.ops) {
     NppAndCx nppcx = { npp, cx };
     PL_DHashTableEnumerate(&sNPObjWrappers,
                            NPObjWrapperPluginDestroyedCallback, &nppcx);
   }
 }
 // Find the NPP for a NPObject.
 static NPP
 LookupNPP(NPObject *npobj)
 {
   if (npobj->_class == &nsJSObjWrapper::sJSObjWrapperNPClass) {
     nsJSObjWrapper* o = static_cast<nsJSObjWrapper*>(npobj);
     return o->mNpp;
   }
   NPObjWrapperHashEntry *entry = static_cast<NPObjWrapperHashEntry *>
     (PL_DHashTableOperate(&sNPObjWrappers, npobj, PL_DHASH_ADD));
   if (PL_DHASH_ENTRY_IS_FREE(entry)) {
     return nullptr;
   }
   NS_ASSERTION(entry->mNpp, "Live NPObject entry w/o an NPP!");
   return entry->mNpp;
 }
 static bool
 CreateNPObjectMember(NPP npp, JSContext *cx, JSObject *obj, NPObject* npobj,
                      JS::Handle<jsid> id,  NPVariant* getPropertyResult,
                      JS::MutableHandle<JS::Value> vp)
 {
   if (!npobj || !npobj->_class || !npobj->_class->getProperty ||
       !npobj->_class->invoke) {
     ThrowJSException(cx, "Bad NPObject");
     return false;
   }
   NPObjectMemberPrivate *memberPrivate =
     (NPObjectMemberPrivate *)PR_Malloc(sizeof(NPObjectMemberPrivate));
   if (!memberPrivate)
     return false;
   // Make sure to clear all members in case something fails here
   // during initialization.
   memset(memberPrivate, 0, sizeof(NPObjectMemberPrivate));
   JSObject *memobj = ::JS_NewObject(cx, &sNPObjectMemberClass, JS::NullPtr(), JS::NullPtr());
   if (!memobj) {
     PR_Free(memberPrivate);
     return false;
   }
   vp.setObject(*memobj);
   ::JS_SetPrivate(memobj, (void *)memberPrivate);
   NPIdentifier identifier = JSIdToNPIdentifier(id);
   JS::Rooted<JS::Value> fieldValue(cx);
   NPVariant npv;
   if (getPropertyResult) {
     // Plugin has already handed us the value we want here.
     npv = *getPropertyResult;
   }
   else {
     VOID_TO_NPVARIANT(npv);
     NPBool hasProperty = npobj->_class->getProperty(npobj, identifier,
                                                     &npv);
     if (!ReportExceptionIfPending(cx) || !hasProperty) {
       return false;
     }
   }
   fieldValue = NPVariantToJSVal(npp, cx, &npv);
   // npobjWrapper is the JSObject through which we make sure we don't
   // outlive the underlying NPObject, so make sure it points to the
   // real JSObject wrapper for the NPObject.
   obj = GetNPObjectWrapper(cx, obj);
   memberPrivate->npobjWrapper = obj;
   memberPrivate->fieldValue = fieldValue;
   memberPrivate->methodName = id;
   memberPrivate->npp = npp;
   return true;
 }
 static bool
 NPObjectMember_Convert(JSContext *cx, JS::Handle<JSObject*> obj, JSType type, JS::MutableHandle<JS::Value> vp)
 {
   NPObjectMemberPrivate *memberPrivate =
     (NPObjectMemberPrivate *)::JS_GetInstancePrivate(cx, obj,
                                                      &sNPObjectMemberClass,
                                                      nullptr);
   if (!memberPrivate) {
     NS_ERROR("no Ambiguous Member Private data!");
     return false;
   }
   switch (type) {
   case JSTYPE_VOID:
   case JSTYPE_STRING:
   case JSTYPE_NUMBER:
     vp.set(memberPrivate->fieldValue);
     if (vp.isObject()) {
       JS::Rooted<JSObject*> objVal(cx, &vp.toObject());
       return JS_DefaultValue(cx, objVal, type, vp);
     }
     return true;
   case JSTYPE_BOOLEAN:
   case JSTYPE_OBJECT:
     vp.set(memberPrivate->fieldValue);
     return true;
   case JSTYPE_FUNCTION:
     // Leave this to NPObjectMember_Call.
     return true;
   default:
     NS_ERROR("illegal operation on JSObject prototype object");
     return false;
   }
 }
 static void
 NPObjectMember_Finalize(JSFreeOp *fop, JSObject *obj)
 {
   NPObjectMemberPrivate *memberPrivate;
   memberPrivate = (NPObjectMemberPrivate *)::JS_GetPrivate(obj);
   if (!memberPrivate)
     return;
   PR_Free(memberPrivate);
 }
 static bool
 NPObjectMember_Call(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   JS::Rooted<JSObject*> memobj(cx, &args.callee());
   NS_ENSURE_TRUE(memobj, false);
   NPObjectMemberPrivate *memberPrivate =
     (NPObjectMemberPrivate *)::JS_GetInstancePrivate(cx, memobj,
                                                      &sNPObjectMemberClass,
                                                      &args);
   if (!memberPrivate || !memberPrivate->npobjWrapper)
     return false;
   NPObject *npobj = GetNPObject(cx, memberPrivate->npobjWrapper);
   if (!npobj) {
     ThrowJSException(cx, "Call on invalid member object");
     return false;
   }
   NPVariant npargs_buf[8];
   NPVariant *npargs = npargs_buf;
   if (args.length() > (sizeof(npargs_buf) / sizeof(NPVariant))) {
     // Our stack buffer isn't large enough to hold all arguments,
     // malloc a buffer.
     npargs = (NPVariant *)PR_Malloc(args.length() * sizeof(NPVariant));
     if (!npargs) {
       ThrowJSException(cx, "Out of memory!");
       return false;
     }
   }
   // Convert arguments
   for (uint32_t i = 0; i < args.length(); ++i) {
     if (!JSValToNPVariant(memberPrivate->npp, cx, args[i], npargs + i)) {
       ThrowJSException(cx, "Error converting jsvals to NPVariants!");
       if (npargs != npargs_buf) {
         PR_Free(npargs);
       }
       return false;
     }
   }
   NPVariant npv;
   bool ok = npobj->_class->invoke(npobj,
                                   JSIdToNPIdentifier(memberPrivate->methodName),
                                   npargs, args.length(), &npv);
   // Release arguments.
   for (uint32_t i = 0; i < args.length(); ++i) {
     _releasevariantvalue(npargs + i);
   }
   if (npargs != npargs_buf) {
     PR_Free(npargs);
   }
   if (!ok) {
     // ReportExceptionIfPending returns a return value, which is true
     // if no exception was thrown. In that case, throw our own.
     if (ReportExceptionIfPending(cx))
       ThrowJSException(cx, "Error calling method on NPObject!");
     return false;
   }
   args.rval().set(NPVariantToJSVal(memberPrivate->npp, cx, &npv));
   // *vp now owns the value, release our reference.
   _releasevariantvalue(&npv);
   return ReportExceptionIfPending(cx);
 }
 static void
 NPObjectMember_Trace(JSTracer *trc, JSObject *obj)
 {
   NPObjectMemberPrivate *memberPrivate =
     (NPObjectMemberPrivate *)::JS_GetPrivate(obj);
   if (!memberPrivate)
     return;
   // Our NPIdentifier is not always interned, so we must root it explicitly.
   JS_CallHeapIdTracer(trc, &memberPrivate->methodName, "NPObjectMemberPrivate.methodName");
   if (!JSVAL_IS_PRIMITIVE(memberPrivate->fieldValue)) {
     JS_CallHeapValueTracer(trc, &memberPrivate->fieldValue,
                            "NPObject Member => fieldValue");
   }
   // There's no strong reference from our private data to the
   // NPObject, so make sure to mark the NPObject wrapper to keep the
   // NPObject alive as long as this NPObjectMember is alive.
   if (memberPrivate->npobjWrapper) {
     JS_CallHeapObjectTracer(trc, &memberPrivate->npobjWrapper,
                             "NPObject Member => npobjWrapper");
   }
 }

The Tor Browser / annotate

dom/plugins/base/nsJSNPRuntime.cpp@b8a032363ba2 (annotated)

dom/plugins/base/nsJSNPRuntime.cpp