Bug 1394496 - Evaluate's envChainObject should throw if passed a global. r=tcampbell
authorAndrew McCreight <continuation@gmail.com>
Tue, 05 Sep 2017 13:40:01 -0700
changeset 428544 0f3a0442c2adff8805bac300b570883add78df29
parent 428543 aae17c1a570cdc89c1d97e748311d88181d9d69e
child 428545 b5016d8477442b6602be7cbf60f72d09e2b6a2b4
push id7761
push userjlund@mozilla.com
push dateFri, 15 Sep 2017 00:19:52 +0000
treeherdermozilla-beta@c38455951db4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1394496
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1394496 - Evaluate's envChainObject should throw if passed a global. r=tcampbell MozReview-Commit-ID: 7PBHQkvJigD
js/src/shell/js.cpp
js/src/tests/js1_8_5/extensions/non_syntactic.js
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -1591,25 +1591,26 @@ Evaluate(JSContext* cx, unsigned argc, V
         if (!JS_GetProperty(cx, opts, "envChainObject", &v))
             return false;
         if (!v.isUndefined()) {
             if (loadBytecode) {
                 JS_ReportErrorASCII(cx, "Can't use both loadBytecode and envChainObject");
                 return false;
             }
 
-            if (v.isObject()) {
-                if (!envChain.append(&v.toObject())) {
-                    JS_ReportOutOfMemory(cx);
-                    return false;
-                }
-            } else {
+            if (!v.isObject()) {
                 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_UNEXPECTED_TYPE,
                                           "\"envChainObject\" passed to evaluate()", "not an object");
                 return false;
+            } else if (v.toObject().is<GlobalObject>()) {
+                JS_ReportErrorASCII(cx, "\"envChainObject\" passed to evaluate() should not be a global");
+                return false;
+            } else if (!envChain.append(&v.toObject())) {
+                JS_ReportOutOfMemory(cx);
+                return false;
             }
         }
 
         // We cannot load or save the bytecode if we have no object where the
         // bytecode cache is stored.
         if (loadBytecode || saveBytecode || saveIncrementalBytecode) {
             if (!cacheEntry) {
                 JS_ReportErrorNumberASCII(cx, my_GetErrorMessage, nullptr, JSSMSG_INVALID_ARGS,
--- a/js/src/tests/js1_8_5/extensions/non_syntactic.js
+++ b/js/src/tests/js1_8_5/extensions/non_syntactic.js
@@ -28,9 +28,19 @@ evaluate("assertEq(someVar, 2);", evalOp
 evaluate("assertEq(this.someVar, 2);", evalOpt);
 evaluate("assertEq(this, alsoSomeObject);", evalOpt);
 
 // With an object on the scope, inside a function.
 evaluate("(function() { assertEq(someVar, 2);})()", evalOpt);
 evaluate("(function() { assertEq(this !== alsoSomeObject, true);})()", evalOpt);
 evaluate("(function() { assertEq(this.someVar, 1);})()", evalOpt);
 
+var globalEvalOpt = {
+    envChainObject: this
+};
+try {
+  evaluate("assertEq(someVar, 1);", globalEvalOpt);
+  throw new Error("Globals aren't allowed as a envChainObject argument to evaluate");
+} catch (e) {
+}
+
+
 reportCompare(true, true);