Open Bug 1256449 Opened 9 years ago Updated 3 years ago

WebIDL: Nullable union types passed to chrome constructors aren't null-checked before wrapping

Tracking

()

Status:

NEW

People

(Reporter: lina, Unassigned)

Details

Lina Butler (ex-Mozilla)

Reporter

Description

•

9 years ago

I'm not sure if the description for this bug is accurate, but it's easier to explain with an example. Let's say we have an interface with a chrome constructor that takes a nullable union: // typedef (ArrayBufferView or ArrayBuffer) BufferSource; [ChromeConstructor(BufferSource? buffer)] interface MyInterface { // ... }; The generated binding for that constructor will look something like this: static bool _constructor(JSContext* cx, unsigned argc, JS::Value* vp) { // ... Maybe<JSAutoCompartment> ac; if (objIsXray) { // ... if (arg0.Value().IsArrayBufferView()) { if (!arg0.Value().GetAsArrayBufferView().WrapIntoNewCompartment(cx)) { return false; } } else if (arg0.Value().IsArrayBuffer()) { if (!arg0.Value().GetAsArrayBuffer().WrapIntoNewCompartment(cx)) { return false; } } // ... } // ... } It looks like the missing `arg0.IsNull()` check causes a JS call like `new MyInterface(null)` to assert. Nullable unions in dictionaries seem to have the same problem, but we check `WasPassed()` before calling `Value()`...so it's possible to work around like this: var options = {}; if (buffer) { options.buffer = buffer; } new MyInterface(options); If it helps, I can upload the full generated binding code and WebIDL interface. I don't know enough about the code generator to attempt a fix. :-(

BMO Automation

Updated

•

3 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

WebIDL: Nullable union types passed to chrome constructors aren't null-checked before wrapping

Categories

(Core :: General, defect)

Tracking

()

People

(Reporter: lina, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated