Closed
Bug 666371
Opened 13 years ago
Closed 13 years ago
JavaScript aborts when trying to access arguments.callee.caller from the top element of a call stack
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 666587
People
(Reporter: ma1, Unassigned)
Details
Seems new in 7.0a1 (2011-06-22). To reproduce, open http://evil.hackademix.net/callee.html with JavaScript enabled. Expected result: an alert box saying "load done"; Actual result: an alert box saying "load failed"; The problem is the arguments.callee.caller.caller statement which is attempted inside a function called by an event handler installed via attribute parsing. The JavaScript code is aborted immediately (like in an OM error), and the finally block is never reached. Notice that the problem happens also in chrome code and also if the event handler is attached by other means, like could be seen by evaluating the following snippet in the Error Console and trying to open a link in a new tab: top.opener.document.getElementById("context-openlinkintab").oncommand = top.opener.eval("function(){alert('here'); try { arguments.callee.caller } finally {alert('there')}}")
Comment 1•13 years ago
|
||
I think i tried to hard in Bug 640593. This could work, untested! >if (!fp->prev()) > return false; > >StackFrame *frame = js_GetScriptedCaller(cx, fp->prev()); >if (!frame || !frame->getValidCalleeObject(cx, vp)) > return false; to >StackFrame *frame = (fp->prev()) ? js_GetScriptedCaller(cx, fp->prev()) : NULL; >if (!frame) > return true; >if (!frame->getValidCalleeObject(cx, vp)) > return false; Don't know maybe we just want to throw proper errors anyway. I don't care enough about ".caller" thought.
Reporter | ||
Comment 2•13 years ago
|
||
Simplified test case, this can be run anywhere a window context is available, and should alert "Done" but is silent because of this bug: <script> setTimeout(function(){ try { arguments.callee.caller } finally { alert("Done") }}, 0); </script> http://mxr.mozilla.org/mozilla-central/search?string=callee.caller&find=&findi=&filter=^[^\0]*%24&hitlimit=&tree=mozilla-central
Summary: JavaScript aborts when trying to access the null caller of an event handler via arguments.callee.caller chain. → JavaScript aborts when trying to access arguments.callee.caller from the top element of a call stack
Comment 3•13 years ago
|
||
Could you get us a regression window on this using nightlies?
Keywords: regressionwindow-wanted
Comment 4•13 years ago
|
||
(In reply to comment #2) > Simplified test case, this can be run anywhere a window context is > available, and should alert "Done" but is silent because of this bug: > <script> > setTimeout(function(){ try { arguments.callee.caller } finally { > alert("Done") }}, 0); > </script> > > http://mxr.mozilla.org/mozilla-central/search?string=callee. > caller&find=&findi=&filter=^[^\0]*%24&hitlimit=&tree=mozilla-central (In reply to comment #3) > Could you get us a regression window on this using nightlies? Regression window: Works( an alert box "Done" appears ): http://hg.mozilla.org/tracemonkey/rev/e59b1d2a2f79 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110617 Firefox/7.0a1 ID:20110617173815 Fails( no alert box ): http://hg.mozilla.org/tracemonkey/rev/9ced98ee3aa9 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110618 Firefox/7.0a1 ID:20110618050724 Pushlog: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=e59b1d2a2f79&tochange=9ced98ee3aa9 Triggered by: 9ced98ee3aa9 Tom Schuster — Bug 640593 - Remove Function.arity and other cleanup around function properties r=jorendorff
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Keywords: regressionwindow-wanted
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•