DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
<!DOCTYPE html>
<html>
<head>
<script>

// Morph a slim wrapper into an XPCWN by generating a cross-compartment wrapper
// for it (we Morph in WrapperFactory::PrepareForWrapping).
function makeNonSlim(elem) {
  window.parent.someCCW = elem;
  delete window.parent.someCCW;
}

function doTest() {

  // Get a slim wrapper for |form|. This lives in scope 1.
  var form = document.getElementById('myform');

  // The gist here is that we want to create an input element that isn't part
  // of a form, so that its PreCreate hook will cause it to be parented to the
  // document. However, there are several considerations that make this more
  // complicted.
  //
  // First, the crashtest becomes non-deterministics if we morph |form| before
  // getting to scope 3 (as explained below). This means that we can't trigger
  // the PreCreate hook for |input|, because that will call WrapNativeParent
  // on the form, which will end up making a cross-compartment wrapper, which
  // will morph form. But this puts us in a pickle, because appendChild returns
  // the apppended child, which will trigger the PreCreate hook in
  // NativeInterface2JSObject. So we do this little hack where we append a buch
  // of dummy <div> children to the form, and use replaceChild (which returns
  // the replacer, not the replacee) to stick the input elements as children of
  // the form.
  //
  // Second, the crashtest can also be non-deterministics if the final call to
  // MoveWrappers iterates over the hashtable in such a way that it fixes up
  // the Document before it fixes up the Input. If so, the Input will become
  // orphaned, and we'll detect it and fix things up at the top of MoveWrapper.
  // Since we can't control the hashtable ordering here, we just make 100 input
  // elements, to make it a near-certainty (statistically) that we'll encounter
  // one of them during iteration before encountering the Document.
  //
  // With all this, this testcase deterministically crashes on my machine. Whew!

  // Create an input element. This isn't part of a form right now, so it gets
  // parented to the document.
  var inputs = [];
  var placeHolders = [];
  for (var i = 0; i < 100; ++i) {
    var dummyDiv = form.appendChild(document.createElement('div'));
    var input = document.createElement('input');
    makeNonSlim(input);
    inputs.push(input);
    placeHolders.push(dummyDiv);
  }

  // Blow away the document, forcing a transplan of all the XPCWNs in scope. This
  // will transplant |input|, but |form| stays in the old scope (since it's slim).
  document.open();
  document.close();

  // Now we're in scope 2. Associate |input| with |form| so that the next call to
  // PreCreate will parent |input| to |form| rather than the document. But make
  // sure to do it with replaceChild, rather than appendChild, so that we don't
  // end up triggering the PreCreate hook for |form| in scope 2, which would make
  // make it non-slim. If we didn't, the ensuing call to MoveWrappers might find
  // |form| before |input| while iterating over the hashtable. If so, |form|
  // would be rescued as an orphan and everything would be fixed before getting to  // |input|.
  for (var i = 0; i < inputs.length; ++i)
    form.replaceChild(inputs[i], placeHolders[i]);

  // Blow away the document a second time. This should cause the crash in
  // unpatched builds.
  document.open();
  document.close();
}
</script>
</head>
<body>
<form id="myform"></form>
</body>
</html>