Bug 908915 - Fix compartment mismatch in shell decompileThis and disassemble functions. r=efaust
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 24 Oct 2013 15:02:51 +0200
changeset 165779 315555d511331bd986b667ab685ef916c243d9af
parent 165778 de354010012d8126c4b02e4a2ee353a44089b6ba
child 165780 fc4f336fcedd56349fd747093a89f6129c0fc049
push id3066
push userakeybl@mozilla.com
push dateMon, 09 Dec 2013 19:58:46 +0000
treeherdermozilla-beta@a31a0dce83aa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersefaust
bugs908915
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 908915 - Fix compartment mismatch in shell decompileThis and disassemble functions. r=efaust
js/src/jit-test/tests/basic/bug908915.js
js/src/shell/js.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug908915.js
@@ -0,0 +1,24 @@
+// |jit-test| error: 42
+function f(y) {}
+for each(let e in newGlobal()) {
+    if (e.name === "quit" || e.name == "readline" || e.name == "terminate")
+	continue;
+    try {
+        e();
+    } catch (r) {}
+}
+(function() {
+    arguments.__proto__.__proto__ = newGlobal()
+    function f(y) {
+        y()
+    }
+    for each(b in []) {
+	if (b.name === "quit" || b.name == "readline" || b.name == "terminate")
+	    continue;
+        try {
+            f(b)
+        } catch (e) {}
+    }
+})();
+
+throw 42;
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -1980,16 +1980,17 @@ DisassembleToSprinter(JSContext *cx, uns
     DisassembleOptionParser p(args.length(), args.array());
     if (!p.parse(cx))
         return false;
 
     if (p.argc == 0) {
         /* Without arguments, disassemble the current script. */
         RootedScript script(cx, GetTopScript(cx));
         if (script) {
+            JSAutoCompartment ac(cx, script);
             if (!js_Disassemble(cx, script, p.lines, sprinter))
                 return false;
             SrcNotes(cx, script, sprinter);
             TryNotes(cx, script, sprinter);
         }
     } else {
         for (unsigned i = 0; i < p.argc; i++) {
             RootedFunction fun(cx);
@@ -3762,21 +3763,26 @@ static bool
 DecompileThisScript(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedScript script (cx);
     if (!JS_DescribeScriptedCaller(cx, &script, nullptr)) {
         args.rval().setString(cx->runtime()->emptyString);
         return true;
     }
-    JSString *result = JS_DecompileScript(cx, script, "test", 0);
-    if (!result)
-        return false;
-    args.rval().setString(result);
-    return true;
+
+    {
+        JSAutoCompartment ac(cx, script);
+        JSString *result = JS_DecompileScript(cx, script, "test", 0);
+        if (!result)
+            return false;
+        args.rval().setString(result);
+    }
+
+    return JS_WrapValue(cx, vp);
 }
 
 static bool
 ThisFilename(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedScript script (cx);
     if (!JS_DescribeScriptedCaller(cx, &script, nullptr) || !script->filename()) {