Bug 1505811. Don't leave exceptions dangling on the JSContext when regexp execution fails during HTML input pattern matching. r=baku
authorBoris Zbarsky <bzbarsky@mit.edu>
Wed, 14 Nov 2018 18:48:34 +0000
changeset 502842 2170be698d4b5b7e9da804ce8c98275eade1e8f1
parent 502841 ab3dbc49f94d54897502e6ee9973229fc52f3187
child 502843 7b845eac9dd726c7213024ccb94b009da5674592
push id10290
push userffxbld-merge
push dateMon, 03 Dec 2018 16:23:23 +0000
treeherdermozilla-beta@700bed2445e6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbaku
bugs1505811
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1505811. Don't leave exceptions dangling on the JSContext when regexp execution fails during HTML input pattern matching. r=baku Differential Revision: https://phabricator.services.mozilla.com/D11818
dom/base/crashtests/1505811.html
dom/base/crashtests/crashtests.list
dom/base/nsContentUtils.cpp
new file mode 100644
--- /dev/null
+++ b/dom/base/crashtests/1505811.html
@@ -0,0 +1,24 @@
+<html>
+
+<head>
+  <script>
+    function start() {
+      window.CustomElement0 = class extends HTMLElement {
+        constructor() {
+          super()
+        }
+        connectedCallback() {
+          this.before('', custom)
+          this.outerHTML = '<input pattern=""value=ð>'
+        }
+      }
+      customElements.define('custom-element-0', CustomElement0)
+      custom = document.createElementNS('http://www.w3.org/1999/xhtml', 'custom-element-0')
+      document.documentElement.appendChild(custom)
+    }
+
+    document.addEventListener('DOMContentLoaded', start)
+  </script>
+</head>
+
+</html>
\ No newline at end of file
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -241,8 +241,9 @@ pref(dom.webcomponents.shadowdom.enabled
 pref(dom.webcomponents.shadowdom.enabled,true) load 1428053.html
 pref(dom.webcomponents.customelements.enabled,true) load 1441029.html
 load 1449601.html
 load 1445670.html
 load 1458016.html
 pref(dom.webcomponents.shadowdom.enabled,true) load 1459688.html
 load 1460794.html
 pref(dom.webcomponents.shadowdom.enabled,true) load 1505875.html
+pref(dom.webcomponents.customelements.enabled,true) load 1505811.html
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -6984,17 +6984,22 @@ ReportPatternCompileFailure(nsAString& a
 
 // static
 bool
 nsContentUtils::IsPatternMatching(nsAString& aValue, nsAString& aPattern,
                                   nsIDocument* aDocument)
 {
   NS_ASSERTION(aDocument, "aDocument should be a valid pointer (not null)");
 
-  AutoJSContext cx;
+  // The fact that we're using a JS regexp under the hood should not be visible
+  // to things like window onerror handlers, so we don't initialize our JSAPI
+  // with the document's window (which may not exist anyway).
+  AutoJSAPI jsapi;
+  jsapi.Init();
+  JSContext* cx = jsapi.cx();
   AutoDisableJSInterruptCallback disabler(cx);
 
   // We can use the junk scope here, because we're just using it for
   // regexp evaluation, not actual script execution.
   JSAutoRealm ar(cx, xpc::UnprivilegedJunkScope());
 
   // The pattern has to match the entire value.
   aPattern.InsertLiteral(u"^(?:", 0);