Fix (bug 635200, r=gal, a=blocking).
authorDavid Anderson <danderson@mozilla.com>
Fri, 25 Feb 2011 11:08:58 -0800
changeset 63146 f007657da01e8f06cdf27a84513735cfa8abd15e
parent 63145 d5a3aff4f8145b37169bf3ef7ed30989dbd4dd7a
child 63147 4c3e3695b8e14350fd73d572047eef1fd8a4cff9
push id19043
push userrsayre@mozilla.com
push dateSun, 27 Feb 2011 15:29:23 +0000
treeherdermozilla-central@04e69fadcbcd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgal, blocking
bugs635200
milestone2.0b12pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Fix (bug 635200, r=gal, a=blocking).
js/src/jsexn.cpp
--- a/js/src/jsexn.cpp
+++ b/js/src/jsexn.cpp
@@ -712,16 +712,21 @@ Exception(JSContext *cx, uintN argc, Val
      * NewNativeClassInstance to find the class prototype, we must get the
      * class prototype ourselves.
      */
     JSObject &callee = vp[0].toObject();
     Value protov;
     if (!callee.getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom), &protov))
         return JS_FALSE;
 
+    if (!protov.isObject()) {
+        JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_BAD_PROTOTYPE, "Error");
+        return JS_FALSE;
+    }
+
     JSObject *errProto = &protov.toObject();
     JSObject *obj = NewNativeClassInstance(cx, &js_ErrorClass, errProto, errProto->getParent());
     if (!obj)
         return JS_FALSE;
 
     /*
      * If it's a new object of class Exception, then null out the private
      * data so that the finalizer doesn't attempt to free it.