Bug 1414461. Make sure we always null-check the result of XrayTraits::EnsureHolder. r=mccr8
authorBoris Zbarsky <bzbarsky@mit.edu>
Sat, 04 Nov 2017 00:36:34 -0400
changeset 443441 405cc8ca7f764e985c6ab1e6d4365681b6ff2e10
parent 443440 dffccd112b821970c76f6e3d004cb28f5526a30f
child 443442 14fd26761bc4d10c5334abe50d7b6f3a5908f08d
child 443457 e85f59ea455dfc915b7d428eaf45a3cfa0b7baba
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmccr8
bugs1414461
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1414461. Make sure we always null-check the result of XrayTraits::EnsureHolder. r=mccr8 MozReview-Commit-ID: IV2L0f2612D
js/xpconnect/wrappers/XrayWrapper.cpp
--- a/js/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/xpconnect/wrappers/XrayWrapper.cpp
@@ -711,16 +711,18 @@ JSXrayTraits::resolveOwnProperty(JSConte
 
     return true;
 }
 
 bool
 JSXrayTraits::delete_(JSContext* cx, HandleObject wrapper, HandleId id, ObjectOpResult& result)
 {
     RootedObject holder(cx, ensureHolder(cx, wrapper));
+    if (!holder)
+        return false;
 
     // If we're using Object Xrays, we allow callers to attempt to delete any
     // property from the underlying object that they are able to resolve. Note
     // that this deleting may fail if the property is non-configurable.
     JSProtoKey key = getProtoKey(holder);
     bool isObjectOrArrayInstance = (key == JSProto_Object || key == JSProto_Array) &&
                                    !isPrototype(holder);
     if (isObjectOrArrayInstance) {
@@ -949,16 +951,19 @@ JSXrayTraits::enumerateNames(JSContext* 
 }
 
 bool
 JSXrayTraits::construct(JSContext* cx, HandleObject wrapper,
                         const JS::CallArgs& args, const js::Wrapper& baseInstance)
 {
     JSXrayTraits& self = JSXrayTraits::singleton;
     JS::RootedObject holder(cx, self.ensureHolder(cx, wrapper));
+    if (!holder)
+        return false;
+
     if (self.getProtoKey(holder) == JSProto_Function) {
         JSProtoKey standardConstructor = constructorFor(holder);
         if (standardConstructor == JSProto_Null)
             return baseInstance.construct(cx, wrapper, args);
 
         const js::Class* clasp = js::ProtoKeyToClass(standardConstructor);
         MOZ_ASSERT(clasp);
         if (!(clasp->flags & JSCLASS_HAS_XRAYED_CONSTRUCTOR))