Bug 708405. Make sure to propagate out failures from JS_HasPropertyById in the old nodelist resolve hook. r=mrbkap
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 15 Dec 2011 14:36:46 -0500
changeset 82690 403c7bcfb42a36589998fbe898e1ae6e2ed9acdb
parent 82689 ee190c4d5bfe388f00e7f40fc7e68344c46fc9c7
child 82691 40cc6c09ffe9080ebdba898b4454588e90e62fe6
push id21693
push userbmo@edmorley.co.uk
push dateFri, 16 Dec 2011 01:34:58 +0000
treeherdermozilla-central@c8b8b310f27e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap
bugs708405
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 708405. Make sure to propagate out failures from JS_HasPropertyById in the old nodelist resolve hook. r=mrbkap
dom/base/crashtests/708405-1.html
dom/base/crashtests/crashtests.list
dom/base/nsDOMClassInfo.cpp
new file mode 100644
--- /dev/null
+++ b/dom/base/crashtests/708405-1.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function boom()
+{
+  var a = document.getElementsByTagName("div");
+  a.__proto__ = Proxy.create({has: function() { throw new Error; }});
+  for (var p in a) {
+  }
+}
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -28,8 +28,9 @@ load 609560-1.xhtml
 load 612018-1.html
 load 637116.html
 load 666869.html
 load 675621-1.html
 load 693894.html
 load 695867.html
 load 697643.html
 load 706283-1.html
+load 708405-1.html
--- a/dom/base/nsDOMClassInfo.cpp
+++ b/dom/base/nsDOMClassInfo.cpp
@@ -7969,22 +7969,29 @@ nsNamedArraySH::NewResolve(nsIXPConnectW
       JSAutoEnterCompartment ac;
 
       if (!ac.enter(cx, realObj)) {
         *_retval = false;
         return NS_ERROR_FAILURE;
       }
 
       JSObject *proto = ::JS_GetPrototype(cx, realObj);
-      JSBool hasProp;
-
-      if (proto && ::JS_HasPropertyById(cx, proto, id, &hasProp) && hasProp) {
-        // We found the property we're resolving on the prototype,
-        // nothing left to do here then.
-        return NS_OK;
+
+      if (proto) {
+        JSBool hasProp;
+        if (!::JS_HasPropertyById(cx, proto, id, &hasProp)) {
+          *_retval = false;
+          return NS_ERROR_FAILURE;
+        }
+
+        if (hasProp) {
+          // We found the property we're resolving on the prototype,
+          // nothing left to do here then.
+          return NS_OK;
+        }
       }
     }
 
     // Make sure rv == NS_OK here, so GetNamedItem implementations
     // that never fail don't have to set rv.
     nsresult rv = NS_OK;
     nsWrapperCache *cache;