Closed Bug 679013 Opened 8 years ago Closed 8 years ago

[jsdbg2] Crash when a scripted proxy handler throws Error.prototype

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
9 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla9

People

(Reporter: jorendorff, Assigned: jorendorff)

References

Details

(Whiteboard: [inbound])

Attachments

(1 file, 1 obsolete file)

v2
3.56 KB, patch
Waldo
: review+
Details | Diff | Splinter Review 
Waldo spotted this by reading the code.

var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (frame) {
    try {
	frame.arguments[0].deleteProperty("x");
    } catch (exc) {
	return;
    }
    throw new Error("deleteProperty should throw");
};

g.eval("function h(x) { debugger; }");
g.eval("h(Proxy.create({delete: function () { throw Error.prototype; }}));");
Attached patch v1 (obsolete) — Splinter Review 
Note that this also adds ErrorCopiers to a few other places where we run the risk of causing the debuggee to run.
Assignee: general → jorendorff
Attachment #553206 - Flags: review?(jimb)
Attached patch v2Splinter Review 
Same as v1, but actually include the test. Shift review to jwalden since jimb is on vacation.
Attachment #553206 - Attachment is obsolete: true
Attachment #553206 - Flags: review?(jimb)
Attachment #553914 - Flags: review?(jwalden+bmo)
Comment on attachment 553914 [details] [diff] [review]
v2

Review of attachment 553914 [details] [diff] [review]:
-----------------------------------------------------------------

This is kind of rubberstampy, I don't actually know that you've addressed every place where this has to happen, but it looks plausible.  Someone else can find the remaining instances, if there are any.
Attachment #553914 - Flags: review?(jwalden+bmo) → review+
hg.mozilla.org/integration/mozilla-inbound/rev/6bb148047bb5
Whiteboard: [inbound]
Target Milestone: --- → mozilla8
Version: Other Branch → 9 Branch
http://hg.mozilla.org/mozilla-central/rev/6bb148047bb5
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: mozilla8 → mozilla9
Duplicate of this bug: 684587
You need to log in before you can comment on or make changes to this bug.