Workers: double-error reporting in location.toString and incorrect assumption about JS_GetInstancePrivate

RESOLVED FIXED in mozilla13

Status

()

Core
DOM
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Igor Bukanov, Assigned: Igor Bukanov)

Tracking

unspecified
mozilla13
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

v1
21.67 KB, patch
Ben Turner (not reading bugmail, use the needinfo flag!)
: review+
Details | Diff | Splinter Review
(Assignee)

Description

5 years ago
ToString from https://hg.mozilla.org/mozilla-central/file/005980552224/dom/workers/Location.cpp#l147 contains:

    JSObject* obj = JS_THIS_OBJECT(aCx, aVp);

    JSClass* classPtr;
    if (!obj || ((classPtr = JS_GET_CLASS(aCx, obj)) != &sClass)) {
      JS_ReportErrorNumber(aCx, js_GetErrorMessage, NULL,
                           JSMSG_INCOMPATIBLE_PROTO, sClass.name, "toString",
                           classPtr ? classPtr->name : "object");
      return false;
    }

As JS_THIS_OBJECT reports errors (OOM) on its own, reporting JSMSG_INCOMPATIBLE_PROTO again is wrong after JS_THIS_OBJECT fails.

Another issue that I sported when looking for a similar pattern is the following comment in many GetInstancePrivate implementations:

    // JS_GetInstancePrivate is ok to be called with a null aObj, so this should
    // be too.

The implication is the comment is wrong. JS_GetInstancePrivate allows null aObj only for compatibility. The new code should never pass null there. As in all cases workers' GetInstancePrivate are not used with null aObj, for code simplicity the implementation should assume that aObj is not null.
(Assignee)

Comment 1

5 years ago
Created attachment 594125 [details] [diff] [review]
v1

The patch fixes ToString implementation and changes GetInstancePrivate to assume that obj is not null. The patch also removed few checks for null result of JS_GET_CLASS(obj). That is not possible.
Attachment #594125 - Flags: review?(bent.mozilla)
Comment on attachment 594125 [details] [diff] [review]
v1

Review of attachment 594125 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for cleaning this up!

::: dom/workers/Location.cpp
@@ +148,5 @@
>    ToString(JSContext* aCx, uintN aArgc, jsval* aVp)
>    {
>      JSObject* obj = JS_THIS_OBJECT(aCx, aVp);
> +    if (!obj)
> +      return false;

Nit: Please add braces.
Attachment #594125 - Flags: review?(bent.mozilla) → review+
(Assignee)

Comment 3

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/fbd68d8e15b9
https://hg.mozilla.org/mozilla-central/rev/fbd68d8e15b9
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
You need to log in before you can comment on or make changes to this bug.