Bug 908915 - Fix compartment mismatch in shell decompileThis and disassemble functions. r=efaust, a=bajaj
authorJan de Mooij <jdemooij@mozilla.com>
Thu, 24 Oct 2013 15:02:51 +0200
changeset 148775 5e401488703e3fcdd998ba9f095a5867eaa2e46c
parent 148774 6d09b5e0b7e99d5c007620cb4c0a0366d61cbdba
child 148776 f20ee8d5379e295c2fbe407f5f2e6e4017960251
push id128
push userryanvm@gmail.com
push dateTue, 07 Jan 2014 16:44:59 +0000
reviewersefaust, bajaj
bugs908915
milestone24.2.0
Bug 908915 - Fix compartment mismatch in shell decompileThis and disassemble functions. r=efaust, a=bajaj
js/src/jit-test/tests/basic/bug908915.js
js/src/shell/js.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug908915.js
@@ -0,0 +1,24 @@
+// |jit-test| error: 42
+function f(y) {}
+for each(let e in newGlobal()) {
+    if (e.name === "quit" || e.name == "readline" || e.name == "terminate")
+	continue;
+    try {
+        e();
+    } catch (r) {}
+}
+(function() {
+    arguments.__proto__.__proto__ = newGlobal()
+    function f(y) {
+        y()
+    }
+    for each(b in []) {
+	if (b.name === "quit" || b.name == "readline" || b.name == "terminate")
+	    continue;
+        try {
+            f(b)
+        } catch (e) {}
+    }
+})();
+
+throw 42;
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -1950,16 +1950,17 @@ DisassembleToSprinter(JSContext *cx, uns
     DisassembleOptionParser p(args.length(), args.array());
     if (!p.parse(cx))
         return false;
 
     if (p.argc == 0) {
         /* Without arguments, disassemble the current script. */
         RootedScript script(cx, GetTopScript(cx));
         if (script) {
+            JSAutoCompartment ac(cx, script);
             if (!js_Disassemble(cx, script, p.lines, sprinter))
                 return false;
             SrcNotes(cx, script, sprinter);
             TryNotes(cx, script, sprinter);
         }
     } else {
         for (unsigned i = 0; i < p.argc; i++) {
             RootedFunction fun(cx);
@@ -3358,21 +3359,26 @@ static JSBool
 DecompileThisScript(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedScript script (cx);
     if (!JS_DescribeScriptedCaller(cx, script.address(), NULL)) {
         args.rval().setString(cx->runtime()->emptyString);
         return true;
     }
-    JSString *result = JS_DecompileScript(cx, script, "test", 0);
-    if (!result)
-        return false;
-    args.rval().setString(result);
-    return true;
+
+    {
+        JSAutoCompartment ac(cx, script);
+        JSString *result = JS_DecompileScript(cx, script, "test", 0);
+        if (!result)
+            return false;
+        args.rval().setString(result);
+    }
+
+    return JS_WrapValue(cx, vp);
 }
 
 static JSBool
 ThisFilename(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     RootedScript script (cx);
     if (!JS_DescribeScriptedCaller(cx, script.address(), NULL) || !script->filename()) {