wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 679013 - jsdbg2: Crash when a scripted proxy handler throws Error.prototype. r=Waldo.

Browse Source
This commit is contained in:
Jason Orendorff 2011-08-18 12:30:19 -05:00
parent fd200a56fc
commit e03d6ae0ab
4 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
js/src/jit-test/tests/debug/Object-deleteProperty-error-01.js Normal file
View File

@ -0,0 +1,16 @@
// Don't crash when a scripted proxy handler throws Error.prototype.
var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (frame) {
try {
frame.arguments[0].deleteProperty("x");
} catch (exc) {
return;
}
throw new Error("deleteProperty should throw");
};
g.eval("function h(x) { debugger; }");
g.eval("h(Proxy.create({delete: function () { throw Error.prototype; }}));");

4
js/src/jsexn.h
View File

@ -102,7 +102,9 @@ js_GetLocalizedErrorMessage(JSContext* cx, void *userRef, const char *locale,
* Make a copy of errobj parented to scope. * Make a copy of errobj parented to scope.
* *
* cx must be in the same compartment as scope. errobj may be in a different * cx must be in the same compartment as scope. errobj may be in a different
* compartment, but it must be an Error object (not a wrapper of one). * compartment, but it must be an Error object (not a wrapper of one) and it
* must not be one of the prototype objects created by js_InitExceptionClasses
* (errobj->getPrivate() must not be NULL).
*/ */
extern JSObject * extern JSObject *
js_CopyErrorObject(JSContext *cx, JSObject *errobj, JSObject *scope); js_CopyErrorObject(JSContext *cx, JSObject *errobj, JSObject *scope);

2
js/src/jswrapper.cpp
View File

@ -484,7 +484,7 @@ ErrorCopier::~ErrorCopier()
cx->isExceptionPending()) cx->isExceptionPending())
{ {
Value exc = cx->getPendingException(); Value exc = cx->getPendingException();
if (exc.isObject() && exc.toObject().isError()) { if (exc.isObject() && exc.toObject().isError() && exc.toObject().getPrivate()) {
cx->clearPendingException(); cx->clearPendingException();
ac.leave(); ac.leave();
JSObject *copyobj = js_CopyErrorObject(cx, &exc.toObject(), scope); JSObject *copyobj = js_CopyErrorObject(cx, &exc.toObject(), scope);

2
js/src/vm/Debugger.cpp
View File

@ -3003,6 +3003,7 @@ DebuggerObject_getOwnPropertyDescriptor(JSContext *cx, uintN argc, Value *vp)
if (!ac.enter() || !cx->compartment->wrapId(cx, &id)) if (!ac.enter() || !cx->compartment->wrapId(cx, &id))
return false; return false;
ErrorCopier ec(ac, dbg->toJSObject());
if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) if (!GetOwnPropertyDescriptor(cx, obj, id, &desc))
return false; return false;
} }
@ -3039,6 +3040,7 @@ DebuggerObject_getOwnPropertyNames(JSContext *cx, uintN argc, Value *vp)
if (!ac.enter()) if (!ac.enter())
return false; return false;
ErrorCopier ec(ac, dbg->toJSObject());
if (!GetPropertyNames(cx, obj, JSITER_OWNONLY | JSITER_HIDDEN, &keys)) if (!GetPropertyNames(cx, obj, JSITER_OWNONLY | JSITER_HIDDEN, &keys))
return false; return false;
} }