Bug 616401 - nsHTMLCanvasElement::GetContext ignores JS exceptions; r=bz
authorMs2ger <ms2ger@gmail.com>
Fri, 18 May 2012 10:29:39 +0200
changeset 96579 09df0008b1566f9efe5b4cdbcd9fbe9f9d6da4c4
parent 96578 c795f1a41daebc5eebb6eb706f62700ecea15ff0
child 96580 c5d2792ed0f4a05af24d023ea86ece657dbc38a4
push id1439
push userlsblakk@mozilla.com
push dateMon, 04 Jun 2012 20:19:22 +0000
treeherdermozilla-aurora@ea74834dccd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs616401
milestone15.0a1
Bug 616401 - nsHTMLCanvasElement::GetContext ignores JS exceptions; r=bz
content/html/content/crashtests/616401.html
content/html/content/crashtests/crashtests.list
content/html/content/src/nsHTMLCanvasElement.cpp
new file mode 100644
--- /dev/null
+++ b/content/html/content/crashtests/616401.html
@@ -0,0 +1,8 @@
+<!doctype html>
+<script>
+var c = document.createElement("canvas");
+c.getContext("experimental-webgl", {
+  get a() { throw 7; },
+  get b() { throw 8; }
+});
+</script>
--- a/content/html/content/crashtests/crashtests.list
+++ b/content/html/content/crashtests/crashtests.list
@@ -22,16 +22,17 @@ load 596785-1.html
 load 596785-2.html
 load 604807.html
 load 605264.html
 load 606430-1.html
 load 602117.html
 load 613027.html
 load 614279.html
 load 614988-1.html
+load 616401.html
 load 620078-1.html
 load 620078-2.html
 load 680922-1.xul
 load 682058.xhtml
 load 682460.html
 load 673853.html
 load 738744.xhtml
 load 741250.xhtml
--- a/content/html/content/src/nsHTMLCanvasElement.cpp
+++ b/content/html/content/src/nsHTMLCanvasElement.cpp
@@ -521,30 +521,29 @@ nsHTMLCanvasElement::GetContext(const ns
       return NS_ERROR_FAILURE;
     }
 
     // note: if any contexts end up supporting something other
     // than objects, e.g. plain strings, then we'll need to expand
     // this to know how to create nsISupportsStrings etc.
 
     nsCOMPtr<nsIWritablePropertyBag2> contextProps;
-    if (aContextOptions.isObject())
-    {
-      JSContext *cx = nsContentUtils::GetCurrentJSContext();
+    if (aContextOptions.isObject()) {
+      JSContext* cx = nsContentUtils::GetCurrentJSContext();
 
       contextProps = do_CreateInstance("@mozilla.org/hash-property-bag;1");
 
-      JSObject *opts = &aContextOptions.toObject();
-      JS::AutoIdArray props(cx, JS_Enumerate(cx, opts));
+      JSObject& opts = aContextOptions.toObject();
+      JS::AutoIdArray props(cx, JS_Enumerate(cx, &opts));
       for (size_t i = 0; !!props && i < props.length(); ++i) {
         jsid propid = props[i];
         jsval propname, propval;
         if (!JS_IdToValue(cx, propid, &propname) ||
-            !JS_GetPropertyById(cx, opts, propid, &propval)) {
-          continue;
+            !JS_GetPropertyById(cx, &opts, propid, &propval)) {
+          return NS_ERROR_FAILURE;
         }
 
         JSString *propnameString = JS_ValueToString(cx, propname);
         nsDependentJSString pstr;
         if (!propnameString || !pstr.init(cx, propnameString)) {
           mCurrentContext = nsnull;
           return NS_ERROR_FAILURE;
         }