mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 679013 - jsdbg2: Crash when a scripted proxy handler throws Error.prototype. r=Waldo.
This commit is contained in:
parent
fd200a56fc
commit
e03d6ae0ab
@ -0,0 +1,16 @@
|
|||||||
|
// Don't crash when a scripted proxy handler throws Error.prototype.
|
||||||
|
|
||||||
|
var g = newGlobal('new-compartment');
|
||||||
|
var dbg = Debugger(g);
|
||||||
|
dbg.onDebuggerStatement = function (frame) {
|
||||||
|
try {
|
||||||
|
frame.arguments[0].deleteProperty("x");
|
||||||
|
} catch (exc) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
throw new Error("deleteProperty should throw");
|
||||||
|
};
|
||||||
|
|
||||||
|
g.eval("function h(x) { debugger; }");
|
||||||
|
g.eval("h(Proxy.create({delete: function () { throw Error.prototype; }}));");
|
||||||
|
|
@ -102,7 +102,9 @@ js_GetLocalizedErrorMessage(JSContext* cx, void *userRef, const char *locale,
|
|||||||
* Make a copy of errobj parented to scope.
|
* Make a copy of errobj parented to scope.
|
||||||
*
|
*
|
||||||
* cx must be in the same compartment as scope. errobj may be in a different
|
* cx must be in the same compartment as scope. errobj may be in a different
|
||||||
* compartment, but it must be an Error object (not a wrapper of one).
|
* compartment, but it must be an Error object (not a wrapper of one) and it
|
||||||
|
* must not be one of the prototype objects created by js_InitExceptionClasses
|
||||||
|
* (errobj->getPrivate() must not be NULL).
|
||||||
*/
|
*/
|
||||||
extern JSObject *
|
extern JSObject *
|
||||||
js_CopyErrorObject(JSContext *cx, JSObject *errobj, JSObject *scope);
|
js_CopyErrorObject(JSContext *cx, JSObject *errobj, JSObject *scope);
|
||||||
|
@ -484,7 +484,7 @@ ErrorCopier::~ErrorCopier()
|
|||||||
cx->isExceptionPending())
|
cx->isExceptionPending())
|
||||||
{
|
{
|
||||||
Value exc = cx->getPendingException();
|
Value exc = cx->getPendingException();
|
||||||
if (exc.isObject() && exc.toObject().isError()) {
|
if (exc.isObject() && exc.toObject().isError() && exc.toObject().getPrivate()) {
|
||||||
cx->clearPendingException();
|
cx->clearPendingException();
|
||||||
ac.leave();
|
ac.leave();
|
||||||
JSObject *copyobj = js_CopyErrorObject(cx, &exc.toObject(), scope);
|
JSObject *copyobj = js_CopyErrorObject(cx, &exc.toObject(), scope);
|
||||||
|
@ -3003,6 +3003,7 @@ DebuggerObject_getOwnPropertyDescriptor(JSContext *cx, uintN argc, Value *vp)
|
|||||||
if (!ac.enter() || !cx->compartment->wrapId(cx, &id))
|
if (!ac.enter() || !cx->compartment->wrapId(cx, &id))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
ErrorCopier ec(ac, dbg->toJSObject());
|
||||||
if (!GetOwnPropertyDescriptor(cx, obj, id, &desc))
|
if (!GetOwnPropertyDescriptor(cx, obj, id, &desc))
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -3039,6 +3040,7 @@ DebuggerObject_getOwnPropertyNames(JSContext *cx, uintN argc, Value *vp)
|
|||||||
if (!ac.enter())
|
if (!ac.enter())
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
ErrorCopier ec(ac, dbg->toJSObject());
|
||||||
if (!GetPropertyNames(cx, obj, JSITER_OWNONLY | JSITER_HIDDEN, &keys))
|
if (!GetPropertyNames(cx, obj, JSITER_OWNONLY | JSITER_HIDDEN, &keys))
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user