Bug 833856 - Handle errors better in EvaluateString. r=bz

This bug happens when we take the !useSandbox path. Basically, when the code throws, we can end up with garbage in *aRetValue while still returning true from EvaluateString. It looks like the convention is for these kind of eval functions to return success even for invalid code, so lets just make sure we check things a bit better. This crashtest is kind of half-baked in the sense that it doesn't actually crash without the rest of the patch. But the testcase here involves a lot of undefined behavior (what ends up getting left in *aRetValue) during a call to window.open (which spins the event loop, etc). I already sunk about half an hour into trying to make it crash, so I'm just going to go with this for now.
2024-09-13 09:24:08 -07:00 · 2013-01-25 11:17:40 +01:00 · 2013-01-25 11:17:40 +01:00 · 800db35b78
commit 800db35b78
parent 9b3101c7c6
4 changed files with 21 additions and 8 deletions
--- a/dom/base/nsJSEnvironment.cpp
+++ b/dom/base/nsJSEnvironment.cpp
@ -1296,10 +1296,10 @@ nsJSContext::EvaluateString(const nsAString& aScript,
  }

  if (!ok) {
+    *aRetValue = JS::UndefinedValue();
    // Tell XPConnect about any pending exceptions. This is needed
    // to avoid dropping JS exceptions in case we got here through
    // nested calls through XPConnect.
-
    ReportPendingException();
  }

--- a/dom/src/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/src/jsurl/nsJSProtocolHandler.cpp
@ -346,13 +346,11 @@ nsresult nsJSThunk::EvaluateScript(nsIChannel *aChannel,
        return NS_ERROR_OUT_OF_MEMORY;
    }

-    if (NS_FAILED(rv)) {
-        rv = NS_ERROR_MALFORMED_URI;
-    }
-    else if (v.isUndefined()) {
-        rv = NS_ERROR_DOM_RETVAL_UNDEFINED;
-    }
-    else {
+    if (NS_FAILED(rv) || !(v.isString() || v.isUndefined())) {
+        return NS_ERROR_MALFORMED_URI;
+    } else if (v.isUndefined()) {
+        return NS_ERROR_DOM_RETVAL_UNDEFINED;
+    } else {
        nsDependentJSString result;
        if (!result.init(cx, v)) {
            return NS_ERROR_OUT_OF_MEMORY;
--- a/js/xpconnect/crashtests/833856.html
+++ b/js/xpconnect/crashtests/833856.html
@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+<script>
+function go() {
+  window.location = "javascript: foopy();";
+  setTimeout(function(){document.documentElement.removeAttribute("class");}, 0);
+}
+
+</script>
+</head>
+<body onload="go()">
+</body>
+</html>
--- a/js/xpconnect/crashtests/crashtests.list
+++ b/js/xpconnect/crashtests/crashtests.list
@ -47,3 +47,4 @@ load 776328.html
 load 776333.html
 load 791845.html
 load 797583.html
+load 833856.html