script: Stop trusting pointers to DOM nodes that layout provides.

Pointers to DOM nodes from layout could go stale if incremental reflow does not correctly destroy dead nodes. Therefore, we ask the JavaScript garbage collector to verify that each DOM node is indeed a valid pointer before calling event handlers on it, and fail otherwise.
2025-06-20 15:18:58 +01:00 · 2014-01-13 21:00:18 -08:00 · 2014-01-13 21:00:18 -08:00 · 7d447dbc06
commit 7d447dbc06
parent 563d6ef91a
8 changed files with 78 additions and 48 deletions
--- a/src/components/script/dom/node.rs
+++ b/src/components/script/dom/node.rs
@ -7,6 +7,7 @@
 use dom::bindings::utils::{Reflectable, Reflector, reflect_dom_object};
 use dom::bindings::utils::{DOMString, null_str_as_empty};
 use dom::bindings::utils::{ErrorResult, Fallible, NotFound, HierarchyRequest};
+use dom::bindings::utils;
 use dom::characterdata::CharacterData;
 use dom::document::{AbstractDocument, DocumentTypeId};
 use dom::documenttype::DocumentType;
@ -17,15 +18,15 @@ use dom::htmliframeelement::HTMLIFrameElement;
 use dom::htmlimageelement::HTMLImageElement;
 use dom::nodelist::{NodeList};
 use dom::text::Text;
+use layout_interface::{LayoutChan, ReapLayoutDataMsg, UntrustedNodeAddress};

-use js::jsapi::{JSObject, JSContext};
-
-use layout_interface::{LayoutChan, ReapLayoutDataMsg};
-
-use std::cast;
+use js::jsapi::{JSContext, JSObject, JSRuntime};
+use js::jsfriendapi;
 use std::cast::transmute;
+use std::cast;
 use std::cell::{RefCell, Ref, RefMut};
 use std::iter::Filter;
+use std::libc::uintptr_t;
 use std::util;
 use std::unstable::raw::Box;

@ -241,6 +242,22 @@ impl AbstractNode {
            _ => false
        }
    }
+
+    /// If the given untrusted node address represents a valid DOM node in the given runtime,
+    /// returns it.
+    pub fn from_untrusted_node_address(runtime: *JSRuntime, candidate: UntrustedNodeAddress)
+                                       -> AbstractNode {
+        unsafe {
+            let candidate: uintptr_t = cast::transmute(candidate);
+            let object: *JSObject = jsfriendapi::bindgen::JS_GetAddressableObject(runtime,
+                                                                                  candidate);
+            if object.is_null() {
+                fail!("Attempted to create an `AbstractNode` from an invalid pointer!")
+            }
+            let boxed_node: *mut Box<Node> = utils::unwrap(object);
+            AbstractNode::from_box(boxed_node)
+        }
+    }
 }

 impl<'a> AbstractNode {