summaryrefslogtreecommitdiffstats
path: root/dom
diff options
context:
space:
mode:
Diffstat (limited to 'dom')
-rw-r--r--dom/base/nsContentUtils.cpp55
-rw-r--r--dom/base/nsContentUtils.h8
-rw-r--r--dom/base/nsIDocument.h18
-rw-r--r--dom/base/nsINode.cpp49
-rw-r--r--dom/media/GraphDriver.cpp8
-rw-r--r--dom/media/GraphDriver.h6
-rw-r--r--dom/media/MediaStreamGraph.cpp3
7 files changed, 126 insertions, 21 deletions
diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp
index 8612e76df..3696195dd 100644
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -7597,6 +7597,24 @@ nsContentUtils::IsFileImage(nsIFile* aFile, nsACString& aType)
}
nsresult
+nsContentUtils::CalculateBufferSizeForImage(const uint32_t& aStride,
+ const IntSize& aImageSize,
+ const SurfaceFormat& aFormat,
+ size_t* aMaxBufferSize,
+ size_t* aUsedBufferSize)
+{
+ CheckedInt32 requiredBytes =
+ CheckedInt32(aStride) * CheckedInt32(aImageSize.height);
+ if (!requiredBytes.isValid()) {
+ return NS_ERROR_FAILURE;
+ }
+ *aMaxBufferSize = requiredBytes.value();
+ *aUsedBufferSize = *aMaxBufferSize - aStride +
+ (aImageSize.width * BytesPerPixel(aFormat));
+ return NS_OK;
+}
+
+nsresult
nsContentUtils::DataTransferItemToImage(const IPCDataTransferItem& aItem,
imgIContainer** aContainer)
{
@@ -7611,6 +7629,22 @@ nsContentUtils::DataTransferItemToImage(const IPCDataTransferItem& aItem,
Shmem data = aItem.data().get_Shmem();
+ // Validate shared memory buffer size
+ size_t imageBufLen = 0;
+ size_t maxBufLen = 0;
+ nsresult rv = CalculateBufferSizeForImage(imageDetails.stride(),
+ size,
+ static_cast<SurfaceFormat>(
+ imageDetails.format()),
+ &maxBufLen,
+ &imageBufLen);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ if (imageBufLen > data.Size<uint8_t>()) {
+ return NS_ERROR_FAILURE;
+ }
+
RefPtr<DataSourceSurface> image =
CreateDataSourceSurfaceFromData(size,
static_cast<SurfaceFormat>(imageDetails.format()),
@@ -7950,20 +7984,19 @@ GetSurfaceDataImpl(mozilla::gfx::DataSourceSurface* aSurface,
return GetSurfaceDataContext::NullValue();
}
- mozilla::gfx::IntSize size = aSurface->GetSize();
- mozilla::CheckedInt32 requiredBytes =
- mozilla::CheckedInt32(map.mStride) * mozilla::CheckedInt32(size.height);
- if (!requiredBytes.isValid()) {
+ size_t bufLen = 0;
+ size_t maxBufLen = 0;
+ nsresult rv = nsContentUtils::CalculateBufferSizeForImage(map.mStride,
+ aSurface->GetSize(),
+ aSurface->GetFormat(),
+ &maxBufLen,
+ &bufLen);
+ if (NS_FAILED(rv)) {
+ // Release mapped memory
+ aSurface->Unmap();
return GetSurfaceDataContext::NullValue();
}
- size_t maxBufLen = requiredBytes.value();
- mozilla::gfx::SurfaceFormat format = aSurface->GetFormat();
-
- // Surface data handling is totally nuts. This is the magic one needs to
- // know to access the data.
- size_t bufLen = maxBufLen - map.mStride + (size.width * BytesPerPixel(format));
-
// nsDependentCString wants null-terminated string.
typename GetSurfaceDataContext::ReturnType surfaceData = aContext.Allocate(maxBufLen + 1);
if (GetSurfaceDataContext::GetBuffer(surfaceData)) {
diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h
index c255f813a..98df92efb 100644
--- a/dom/base/nsContentUtils.h
+++ b/dom/base/nsContentUtils.h
@@ -975,11 +975,17 @@ public:
static bool PrefetchEnabled(nsIDocShell* aDocShell);
+ static nsresult CalculateBufferSizeForImage(const uint32_t& aStride,
+ const mozilla::gfx::IntSize& aImageSize,
+ const mozilla::gfx::SurfaceFormat& aFormat,
+ size_t* aMaxBufferSize,
+ size_t* aUsedBufferSize);
+
+private:
/**
* Fill (with the parameters given) the localized string named |aKey| in
* properties file |aFile|.
*/
-private:
static nsresult FormatLocalizedString(PropertiesFile aFile,
const char* aKey,
const char16_t** aParams,
diff --git a/dom/base/nsIDocument.h b/dom/base/nsIDocument.h
index 7a73fae71..e5d12ab8f 100644
--- a/dom/base/nsIDocument.h
+++ b/dom/base/nsIDocument.h
@@ -3439,13 +3439,29 @@ nsINode::OwnerDocAsNode() const
return OwnerDoc();
}
+// ShouldUseXBLScope is defined here as a template so that we can get the faster
+// version of IsInAnonymousSubtree if we're statically known to be an
+// nsIContent. we could try defining ShouldUseXBLScope separately on nsINode
+// and nsIContent, but then we couldn't put its nsINode implementation here
+// (because this header does not include nsIContent) and we can't put it in
+// nsIContent.h, because the definition of nsIContent::IsInAnonymousSubtree is
+// in nsIContentInlines.h. And then we get include hell from people trying to
+// call nsINode::GetParentObject but not including nsIContentInlines.h and with
+// no really good way to include it.
+template<typename T>
+inline bool ShouldUseXBLScope(const T* aNode)
+{
+ return aNode->IsInAnonymousSubtree() &&
+ !aNode->IsAnonymousContentInSVGUseSubtree();
+}
+
inline mozilla::dom::ParentObject
nsINode::GetParentObject() const
{
mozilla::dom::ParentObject p(OwnerDoc());
// Note that mUseXBLScope is a no-op for chrome, and other places where we
// don't use XBL scopes.
- p.mUseXBLScope = IsInAnonymousSubtree() && !IsAnonymousContentInSVGUseSubtree();
+ p.mUseXBLScope = ShouldUseXBLScope(this);
return p;
}
diff --git a/dom/base/nsINode.cpp b/dom/base/nsINode.cpp
index 09e848710..ca507a5fc 100644
--- a/dom/base/nsINode.cpp
+++ b/dom/base/nsINode.cpp
@@ -27,6 +27,7 @@
#include "mozilla/dom/Element.h"
#include "mozilla/dom/Event.h"
#include "mozilla/dom/ShadowRoot.h"
+#include "mozilla/dom/ScriptSettings.h"
#include "nsAttrValueOrString.h"
#include "nsBindingManager.h"
#include "nsCCUncollectableMarker.h"
@@ -1569,6 +1570,48 @@ CheckForOutdatedParent(nsINode* aParent, nsINode* aNode)
return NS_OK;
}
+static nsresult
+ReparentWrappersInSubtree(nsIContent* aRoot)
+{
+ MOZ_ASSERT(ShouldUseXBLScope(aRoot));
+ // Start off with no global so we don't fire any error events on failure.
+ AutoJSAPI jsapi;
+ jsapi.Init();
+
+ JSContext* cx = jsapi.cx();
+
+ nsIGlobalObject* docGlobal = aRoot->OwnerDoc()->GetScopeObject();
+ if (NS_WARN_IF(!docGlobal)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ JS::Rooted<JSObject*> rootedGlobal(cx, docGlobal->GetGlobalJSObject());
+ if (NS_WARN_IF(!rootedGlobal)) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
+ rootedGlobal = xpc::GetXBLScope(cx, rootedGlobal);
+
+ nsresult rv;
+ JS::Rooted<JSObject*> reflector(cx);
+ for (nsIContent* cur = aRoot; cur; cur = cur->GetNextNode(aRoot)) {
+ if ((reflector = cur->GetWrapper())) {
+ JSAutoCompartment ac(cx, reflector);
+ rv = ReparentWrapper(cx, reflector);
+ if NS_FAILED(rv) {
+ // We _could_ consider BlastSubtreeToPieces here, but it's not really
+ // needed. Having some nodes in here accessible to content while others
+ // are not is probably OK. We just need to fail out of the actual
+ // insertion, so they're not in the DOM. Returning a failure here will
+ // do that.
+ return rv;
+ }
+ }
+ }
+
+ return NS_OK;
+}
+
nsresult
nsINode::doInsertChildAt(nsIContent* aKid, uint32_t aIndex,
bool aNotify, nsAttrAndChildArray& aChildArray)
@@ -1606,9 +1649,15 @@ nsINode::doInsertChildAt(nsIContent* aKid, uint32_t aIndex,
nsIContent* parent =
IsNodeOfType(eDOCUMENT) ? nullptr : static_cast<nsIContent*>(this);
+ bool wasInXBLScope = ShouldUseXBLScope(aKid);
rv = aKid->BindToTree(doc, parent,
parent ? parent->GetBindingParent() : nullptr,
true);
+ if (NS_SUCCEEDED(rv) && !wasInXBLScope && ShouldUseXBLScope(aKid)) {
+ MOZ_ASSERT(ShouldUseXBLScope(this),
+ "Why does the kid need to use an XBL scope?");
+ rv = ReparentWrappersInSubtree(aKid);
+ }
if (NS_FAILED(rv)) {
if (GetFirstChild() == aKid) {
mFirstChild = aKid->GetNextSibling();
diff --git a/dom/media/GraphDriver.cpp b/dom/media/GraphDriver.cpp
index cae15eb8c..e77268131 100644
--- a/dom/media/GraphDriver.cpp
+++ b/dom/media/GraphDriver.cpp
@@ -200,7 +200,7 @@ public:
STREAM_LOG(LogLevel::Debug, ("Starting system thread"));
profiler_register_thread("MediaStreamGraph", &aLocal);
LIFECYCLE_LOG("Starting a new system driver for graph %p\n",
- mDriver->mGraphImpl);
+ mDriver->mGraphImpl.get());
RefPtr<GraphDriver> previousDriver;
{
@@ -236,7 +236,7 @@ private:
void
ThreadedDriver::Start()
{
- LIFECYCLE_LOG("Starting thread for a SystemClockDriver %p\n", mGraphImpl);
+ LIFECYCLE_LOG("Starting thread for a SystemClockDriver %p\n", mGraphImpl.get());
Unused << NS_WARN_IF(mThread);
if (!mThread) { // Ensure we haven't already started it
nsCOMPtr<nsIRunnable> event = new MediaStreamGraphInitThreadRunnable(this);
@@ -830,7 +830,9 @@ AudioCallbackDriver::Revive()
mGraphImpl->SetCurrentDriver(NextDriver());
NextDriver()->Start();
} else {
- STREAM_LOG(LogLevel::Debug, ("Starting audio threads for MediaStreamGraph %p from a new thread.", mGraphImpl));
+ STREAM_LOG(LogLevel::Debug,
+ ("Starting audio threads for MediaStreamGraph %p from a new thread.",
+ mGraphImpl.get()));
RefPtr<AsyncCubebTask> initEvent =
new AsyncCubebTask(this, AsyncCubebOperation::INIT);
initEvent->Dispatch();
diff --git a/dom/media/GraphDriver.h b/dom/media/GraphDriver.h
index 411e175d3..bb4f2689b 100644
--- a/dom/media/GraphDriver.h
+++ b/dom/media/GraphDriver.h
@@ -210,10 +210,8 @@ protected:
// Time of the end of this graph iteration. This must be accessed while having
// the monitor.
GraphTime mIterationEnd;
- // The MediaStreamGraphImpl that owns this driver. This has a lifetime longer
- // than the driver, and will never be null. Hence, it can be accesed without
- // monitor.
- MediaStreamGraphImpl* mGraphImpl;
+ // The MediaStreamGraphImpl associated with this driver.
+ const RefPtr<MediaStreamGraphImpl> mGraphImpl;
// This enum specifies the wait state of the driver.
enum WaitState {
diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp
index e2934cbb2..1b9e4f674 100644
--- a/dom/media/MediaStreamGraph.cpp
+++ b/dom/media/MediaStreamGraph.cpp
@@ -3371,7 +3371,8 @@ MediaStreamGraphImpl::Destroy()
// First unregister from memory reporting.
UnregisterWeakMemoryReporter(this);
- // Clear the self reference which will destroy this instance.
+ // Clear the self reference which will destroy this instance if all
+ // associated GraphDrivers are destroyed.
mSelfRef = nullptr;
}