Bug 709954 - Fix assertion failure "!cx->isExceptionPending()" with invalid regexp in <input pattern>; r=bz

2024-09-13 09:24:08 -07:00 · 2012-11-04 09:00:07 +01:00 · 2012-11-04 09:00:07 +01:00 · 8b5a6cf23f
commit 8b5a6cf23f
parent 8acaa800d6
3 changed files with 39 additions and 13 deletions
--- a/content/base/crashtests/709954.html
+++ b/content/base/crashtests/709954.html
@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+<script>
+
+function boom()
+{
+  setTimeout(function(){
+    document.documentElement.removeChild(document.body);
+  }, 0);
+}
+
+</script>
+</head>
+
+<body onload="boom();">
+<input value="f" pattern="[">
+</body>
+
+</html>
--- a/content/base/crashtests/crashtests.list
+++ b/content/base/crashtests/crashtests.list
@ -104,6 +104,7 @@ load 700090-2.html
 load 700512.html
 load xhr_html_nullresponse.html
 load 709384.html
+load 709954.html
 load 713417.html
 load 713417-2.html
 load 715056.html
--- a/content/base/src/nsContentUtils.cpp
+++ b/content/base/src/nsContentUtils.cpp
@ -6666,30 +6666,34 @@ nsContentUtils::IsPatternMatching(nsAString& aValue, nsAString& aPattern,
  NS_ASSERTION(aDocument, "aDocument should be a valid pointer (not null)");
  NS_ENSURE_TRUE(aDocument->GetScriptGlobalObject(), true);

-  JSContext* ctx = (JSContext*) aDocument->GetScriptGlobalObject()->
+  JSContext* cx = aDocument->GetScriptGlobalObject()->
                                  GetContext()->GetNativeContext();
-  NS_ENSURE_TRUE(ctx, true);
+  NS_ENSURE_TRUE(cx, true);

-  JSAutoRequest ar(ctx);
+  JSAutoRequest ar(cx);

  // The pattern has to match the entire value.
  aPattern.Insert(NS_LITERAL_STRING("^(?:"), 0);
  aPattern.Append(NS_LITERAL_STRING(")$"));

-  JSObject* re = JS_NewUCRegExpObjectNoStatics(ctx, reinterpret_cast<jschar*>
+  JSObject* re = JS_NewUCRegExpObjectNoStatics(cx, static_cast<jschar*>
                                                 (aPattern.BeginWriting()),
-                                                aPattern.Length(), 0);
-  NS_ENSURE_TRUE(re, true);
+                                               aPattern.Length(), 0);
+  if (!re) {
+    JS_ClearPendingException(cx);
+    return true;
+  }

-  jsval rval = JSVAL_NULL;
+  JS::Value rval = JS::NullValue();
  size_t idx = 0;
-  JSBool res;
+  if (!JS_ExecuteRegExpNoStatics(cx, re,
+                                 static_cast<jschar*>(aValue.BeginWriting()),
+                                 aValue.Length(), &idx, true, &rval)) {
+    JS_ClearPendingException(cx);
+    return true;
+  }

-  res = JS_ExecuteRegExpNoStatics(ctx, re, reinterpret_cast<jschar*>
-                                    (aValue.BeginWriting()),
-                                  aValue.Length(), &idx, JS_TRUE, &rval);
-
-  return res == JS_FALSE || rval != JSVAL_NULL;
+  return !rval.isNull();
 }

 // static