Bug 475291 - Avoid roundtripping arbitrary jsids through JSAtom *s. r=brendan
authorBlake Kaplan <mrbkap@gmail.com>
Mon, 26 Jan 2009 16:55:43 -0800
changeset 24224 925054f5eaac84d14b1c11542034c08544a13dbe
parent 24223 efb64de1df3a10d3d2a26b695d7911d65bf8a821
child 24225 0ca5fbbf83dce4fd0881155064dee7ceefcecd3d
push id4986
push usermrbkap@mozilla.com
push dateTue, 27 Jan 2009 01:00:14 +0000
treeherdermozilla-central@0ca5fbbf83dc [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbrendan
bugs475291
milestone1.9.2a1pre
Bug 475291 - Avoid roundtripping arbitrary jsids through JSAtom *s. r=brendan
js/src/jsapi.cpp
js/src/xpconnect/crashtests/475291-1.html
js/src/xpconnect/crashtests/crashtests.list
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -3359,27 +3359,25 @@ LookupResult(JSContext *cx, JSObject *ob
         /* XXX bad API: no way to return "defined but value unknown" */
         rval = JSVAL_TRUE;
     }
     OBJ_DROP_PROPERTY(cx, obj2, prop);
     return rval;
 }
 
 static JSBool
-GetPropertyAttributes(JSContext *cx, JSObject *obj, JSAtom *atom,
-                      uintN *attrsp, JSBool *foundp,
-                      JSPropertyOp *getterp, JSPropertyOp *setterp)
+GetPropertyAttributesById(JSContext *cx, JSObject *obj, jsid id,
+                          uintN *attrsp, JSBool *foundp,
+                          JSPropertyOp *getterp, JSPropertyOp *setterp)
 {
     JSObject *obj2;
     JSProperty *prop;
     JSBool ok;
 
-    if (!atom)
-        return JS_FALSE;
-    if (!LookupPropertyById(cx, obj, ATOM_TO_JSID(atom), JSRESOLVE_QUALIFIED,
+    if (!LookupPropertyById(cx, obj, id, JSRESOLVE_QUALIFIED,
                             &obj2, &prop)) {
         return JS_FALSE;
     }
 
     if (!prop || obj != obj2) {
         *attrsp = 0;
         *foundp = JS_FALSE;
         if (getterp)
@@ -3387,30 +3385,41 @@ GetPropertyAttributes(JSContext *cx, JSO
         if (setterp)
             *setterp = NULL;
         if (prop)
             OBJ_DROP_PROPERTY(cx, obj2, prop);
         return JS_TRUE;
     }
 
     *foundp = JS_TRUE;
-    ok = OBJ_GET_ATTRIBUTES(cx, obj, ATOM_TO_JSID(atom), prop, attrsp);
+    ok = OBJ_GET_ATTRIBUTES(cx, obj, id, prop, attrsp);
     if (ok && OBJ_IS_NATIVE(obj)) {
         JSScopeProperty *sprop = (JSScopeProperty *) prop;
 
         if (getterp)
             *getterp = sprop->getter;
         if (setterp)
             *setterp = sprop->setter;
     }
     OBJ_DROP_PROPERTY(cx, obj, prop);
     return ok;
 }
 
 static JSBool
+GetPropertyAttributes(JSContext *cx, JSObject *obj, JSAtom *atom,
+                      uintN *attrsp, JSBool *foundp,
+                      JSPropertyOp *getterp, JSPropertyOp *setterp)
+{
+    if (!atom)
+        return JS_FALSE;
+    return GetPropertyAttributesById(cx, obj, ATOM_TO_JSID(atom),
+                                     attrsp, foundp, getterp, setterp);
+}
+
+static JSBool
 SetPropertyAttributes(JSContext *cx, JSObject *obj, JSAtom *atom,
                       uintN attrs, JSBool *foundp)
 {
     JSObject *obj2;
     JSProperty *prop;
     JSBool ok;
 
     if (!atom)
@@ -3458,18 +3467,18 @@ JS_GetPropertyAttrsGetterAndSetter(JSCon
 JS_PUBLIC_API(JSBool)
 JS_GetPropertyAttrsGetterAndSetterById(JSContext *cx, JSObject *obj,
                                        jsid id,
                                        uintN *attrsp, JSBool *foundp,
                                        JSPropertyOp *getterp,
                                        JSPropertyOp *setterp)
 {
     CHECK_REQUEST(cx);
-    return GetPropertyAttributes(cx, obj, JSID_TO_ATOM(id),
-                                 attrsp, foundp, getterp, setterp);
+    return GetPropertyAttributesById(cx, obj, id, attrsp, foundp,
+                                     getterp, setterp);
 }
 
 JS_PUBLIC_API(JSBool)
 JS_SetPropertyAttributes(JSContext *cx, JSObject *obj, const char *name,
                          uintN attrs, JSBool *foundp)
 {
     CHECK_REQUEST(cx);
     return SetPropertyAttributes(cx, obj,
new file mode 100644
--- /dev/null
+++ b/js/src/xpconnect/crashtests/475291-1.html
@@ -0,0 +1,14 @@
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+<head>
+<script type="text/javascript">
+
+function boom()
+{
+  window[14] = 14;
+  window.__lookupSetter__(14);
+}
+
+</script>
+</head>
+<body onload="boom();"></body>
+</html>
--- a/js/src/xpconnect/crashtests/crashtests.list
+++ b/js/src/xpconnect/crashtests/crashtests.list
@@ -8,8 +8,9 @@ load 394810-1.html
 load 400349-1.html
 load 403356-1.html
 load 418139-1.svg
 load 420513-1.html
 load 453935-1.html
 load 462926.html
 load 468552-1.html
 load 471366-1.html
+load 475291-1.html