From 3d44a0b7f022b9eb9c72042da2e76ac24278f496 Mon Sep 17 00:00:00 2001
From: Gaming4JC <g4jc@hyperbola.info>
Date: Sun, 5 Jan 2020 10:28:42 -0500
Subject: Bug 1299363 - Part 2: Allow prototype swizzling in html constructor.

Tag UXP Issue #1344
---
 dom/bindings/BindingUtils.cpp | 20 ++++++++++++++++++--
 dom/bindings/BindingUtils.h   |  2 +-
 dom/bindings/Codegen.py       |  2 +-
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/dom/bindings/BindingUtils.cpp b/dom/bindings/BindingUtils.cpp
index 4d20a95f7..3c31ec0e6 100644
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -3431,7 +3431,7 @@ GetCustomElementReactionsStack(JS::Handle<JSObject*> aObj)
 // https://html.spec.whatwg.org/multipage/dom.html#htmlconstructor
 already_AddRefed<nsGenericHTMLElement>
 CreateHTMLElement(const GlobalObject& aGlobal, const JS::CallArgs& aCallArgs,
-                  ErrorResult& aRv)
+                  JS::Handle<JSObject*> aGivenProto, ErrorResult& aRv)
 {
   // Step 1.
   nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(aGlobal.GetAsSupports());
@@ -3566,7 +3566,23 @@ CreateHTMLElement(const GlobalObject& aGlobal, const JS::CallArgs& aCallArgs,
     return nullptr;
   }
 
-  // Step 11 is in the code output by CGClassConstructor.
+  // Step 11.
+  // Do prototype swizzling for upgrading a custom element here, for cases when
+  // we have a reflector already.  If we don't have one yet, our caller will
+  // create it with the right proto (by calling DoGetOrCreateDOMReflector with
+  // that proto).
+  JS::Rooted<JSObject*> reflector(cx, element->GetWrapper());
+  if (reflector) {
+    // reflector might be in different compartment.
+    JSAutoCompartment ac(cx, reflector);
+    JS::Rooted<JSObject*> givenProto(cx, aGivenProto);
+    if (!JS_WrapObject(cx, &givenProto) ||
+        !JS_SetPrototype(cx, reflector, givenProto)) {
+      aRv.NoteJSContextException(cx);
+      return nullptr;
+    }
+  }
+
   // Step 12 and Step 13.
   return element.forget();
 }
diff --git a/dom/bindings/BindingUtils.h b/dom/bindings/BindingUtils.h
index d600acce8..e583d0e06 100644
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -3433,7 +3433,7 @@ GetCustomElementReactionsStack(JS::Handle<JSObject*> aObj);
 // that constructor function.
 already_AddRefed<nsGenericHTMLElement>
 CreateHTMLElement(const GlobalObject& aGlobal, const JS::CallArgs& aCallArgs,
-                  ErrorResult& aRv);
+                  JS::Handle<JSObject*> aGivenProto, ErrorResult& aRv);
 
 void
 SetDocumentAndPageUseCounter(JSContext* aCx, JSObject* aObject,
diff --git a/dom/bindings/Codegen.py b/dom/bindings/Codegen.py
index 5bbf77bb6..730465fee 100644
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -7542,7 +7542,7 @@ class CGPerSignatureCall(CGThing):
             argsPre.append("global")
 
         if isConstructor and idlNode.isHTMLConstructor():
-            argsPre.append("args")
+            argsPre.extend(["args", "desiredProto"])
 
         # For JS-implemented interfaces we do not want to base the
         # needsCx decision on the types involved, just on our extended
-- 
cgit v1.2.3