Last Comment Bug 679013 - [jsdbg2] Crash when a scripted proxy handler throws Error.prototype
: [jsdbg2] Crash when a scripted proxy handler throws Error.prototype
Status: RESOLVED FIXED
[inbound]
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 9 Branch
: x86 Mac OS X
: -- normal (vote)
: mozilla9
Assigned To: Jason Orendorff [:jorendorff]
:
:
Mentors:
: 684587 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-15 10:02 PDT by Jason Orendorff [:jorendorff]
Modified: 2011-09-06 10:59 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
v1 (2.86 KB, patch)
2011-08-15 10:04 PDT, Jason Orendorff [:jorendorff] 		no flags Details | Diff | Splinter Review
v2 (3.56 KB, patch)
2011-08-17 14:38 PDT, Jason Orendorff [:jorendorff] 		jwalden+bmo: review+
Details | Diff | Splinter Review
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Description Jason Orendorff [:jorendorff] 2011-08-15 10:02:05 PDT 
Waldo spotted this by reading the code.

var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (frame) {
    try {
	frame.arguments[0].deleteProperty("x");
    } catch (exc) {
	return;
    }
    throw new Error("deleteProperty should throw");
};

g.eval("function h(x) { debugger; }");
g.eval("h(Proxy.create({delete: function () { throw Error.prototype; }}));");
Comment 1 Jason Orendorff [:jorendorff] 2011-08-15 10:04:02 PDT 
Created attachment 553206 [details] [diff] [review]
v1

Note that this also adds ErrorCopiers to a few other places where we run the risk of causing the debuggee to run.
Comment 2 Jason Orendorff [:jorendorff] 2011-08-17 14:38:36 PDT 
Created attachment 553914 [details] [diff] [review]
v2

Same as v1, but actually include the test. Shift review to jwalden since jimb is on vacation.
Comment 3 Jeff Walden [:Waldo] (remove +bmo to email) 2011-08-17 18:24:19 PDT 
Comment on attachment 553914 [details] [diff] [review]
v2

Review of attachment 553914 [details] [diff] [review]:
-----------------------------------------------------------------

This is kind of rubberstampy, I don't actually know that you've addressed every place where this has to happen, but it looks plausible.  Someone else can find the remaining instances, if there are any.
Comment 4 Jason Orendorff [:jorendorff] 2011-08-18 10:32:12 PDT 
hg.mozilla.org/integration/mozilla-inbound/rev/6bb148047bb5
Comment 5 Marco Bonardo [::mak] 2011-08-19 03:12:26 PDT 
http://hg.mozilla.org/mozilla-central/rev/6bb148047bb5
Comment 6 Jason Orendorff [:jorendorff] 2011-09-06 10:59:00 PDT 
*** Bug 684587 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.