Bug 708405. Make sure to propagate out failures from JS_HasPropertyById in the old nodelist resolve hook. r=mrbkap
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 15 Dec 2011 14:36:46 -0500
changeset 82689 403c7bcfb42a36589998fbe898e1ae6e2ed9acdb
parent 82688 ee190c4d5bfe388f00e7f40fc7e68344c46fc9c7
child 82690 40cc6c09ffe9080ebdba898b4454588e90e62fe6
push id4063
push userbzbarsky@mozilla.com
push dateThu, 15 Dec 2011 19:40:10 +0000
treeherdermozilla-inbound@20dcfdaaacec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap
bugs708405
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 708405. Make sure to propagate out failures from JS_HasPropertyById in the old nodelist resolve hook. r=mrbkap
dom/base/crashtests/708405-1.html
dom/base/crashtests/crashtests.list
dom/base/nsDOMClassInfo.cpp
new file mode 100644
--- /dev/null
+++ b/dom/base/crashtests/708405-1.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function boom()
+{
+  var a = document.getElementsByTagName("div");
+  a.__proto__ = Proxy.create({has: function() { throw new Error; }});
+  for (var p in a) {
+  }
+}
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -28,8 +28,9 @@ load 609560-1.xhtml
 load 612018-1.html
 load 637116.html
 load 666869.html
 load 675621-1.html
 load 693894.html
 load 695867.html
 load 697643.html
 load 706283-1.html
+load 708405-1.html
--- a/dom/base/nsDOMClassInfo.cpp
+++ b/dom/base/nsDOMClassInfo.cpp
@@ -7969,22 +7969,29 @@ nsNamedArraySH::NewResolve(nsIXPConnectW
       JSAutoEnterCompartment ac;
 
       if (!ac.enter(cx, realObj)) {
         *_retval = false;
         return NS_ERROR_FAILURE;
       }
 
       JSObject *proto = ::JS_GetPrototype(cx, realObj);
-      JSBool hasProp;
-
-      if (proto && ::JS_HasPropertyById(cx, proto, id, &hasProp) && hasProp) {
-        // We found the property we're resolving on the prototype,
-        // nothing left to do here then.
-        return NS_OK;
+
+      if (proto) {
+        JSBool hasProp;
+        if (!::JS_HasPropertyById(cx, proto, id, &hasProp)) {
+          *_retval = false;
+          return NS_ERROR_FAILURE;
+        }
+
+        if (hasProp) {
+          // We found the property we're resolving on the prototype,
+          // nothing left to do here then.
+          return NS_OK;
+        }
       }
     }
 
     // Make sure rv == NS_OK here, so GetNamedItem implementations
     // that never fail don't have to set rv.
     nsresult rv = NS_OK;
     nsWrapperCache *cache;