Bug 1143921 - Fix crash in Debugger.defineProperty when the descriptor contains {get: undefined}. r=efaust.
authorJason Orendorff <jorendorff@mozilla.com>
Mon, 13 Apr 2015 13:48:04 -0500
changeset 240516 b40115b4c4769f4d836e037ace6cbc524499f0db
parent 240515 2b31c1372c5139a825808961266771bd757a3ab9
child 240517 cc61b087dfb1288df7b089b982c70cffb2deb118
push id58846
push userjorendorff@mozilla.com
push dateWed, 22 Apr 2015 15:43:03 +0000
treeherdermozilla-inbound@b40115b4c476 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersefaust
bugs1143921
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1143921 - Fix crash in Debugger.defineProperty when the descriptor contains {get: undefined}. r=efaust.
js/src/jit-test/tests/debug/Object-defineProperty-14.js
js/src/vm/Debugger.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Object-defineProperty-14.js
@@ -0,0 +1,15 @@
+// defineProperty accepts undefined for desc.get/set.
+
+load(libdir + "asserts.js");
+
+var g = newGlobal();
+var dbg = new Debugger;
+var gw = dbg.addDebuggee(g);
+
+gw.defineProperty("p", {get: undefined, set: undefined});
+
+var desc = g.eval("Object.getOwnPropertyDescriptor(this, 'p')");
+assertEq("get" in desc, true);
+assertEq("set" in desc, true);
+assertEq(desc.get, undefined);
+assertEq(desc.set, undefined);
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -1011,30 +1011,32 @@ Debugger::unwrapPropertyDescriptor(JSCon
         {
             return false;
         }
         desc.setValue(value);
     }
 
     if (desc.hasGetterObject()) {
         RootedObject get(cx, desc.getterObject());
-        if (!unwrapDebuggeeObject(cx, &get) ||
-            !CheckArgCompartment(cx, obj, get, "defineProperty", "get"))
-        {
-            return false;
+        if (get) {
+            if (!unwrapDebuggeeObject(cx, &get))
+                return false;
+            if (!CheckArgCompartment(cx, obj, get, "defineProperty", "get"))
+                return false;
         }
         desc.setGetterObject(get);
     }
 
     if (desc.hasSetterObject()) {
         RootedObject set(cx, desc.setterObject());
-        if (!unwrapDebuggeeObject(cx, &set) ||
-            !CheckArgCompartment(cx, obj, set, "defineProperty", "set"))
-        {
-            return false;
+        if (set) {
+            if (!unwrapDebuggeeObject(cx, &set))
+                return false;
+            if (!CheckArgCompartment(cx, obj, set, "defineProperty", "set"))
+                return false;
         }
         desc.setSetterObject(set);
     }
 
     return true;
 }
 
 JSTrapStatus