Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 11:25:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 695867 - Crash [@ LookupPropertyById] with getPropertyDescriptor returning a NodeList. r=bz.

Browse Source 
--HG--
extra : rebase_source : 7647c232594ab918b9c4488e8cb56d77dfea9b42
This commit is contained in:
Peter Van der Beken 2011-10-27 19:31:37 +02:00
parent aa20275991
commit be29e3d8a0
3 changed files with 30 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
dom/base/crashtests/695867.html Normal file
View File

@ -0,0 +1,9 @@
<!DOCTYPE html>
<script>
var nodeList = document.documentElement.childNodes;
nodeList.__proto__ = null;
var p = Proxy.create({getPropertyDescriptor: function() {return nodeList}});
p.x;
</script>

1
dom/base/crashtests/crashtests.list
View File

@ -30,4 +30,5 @@ load 637116.html
load 666869.html
load 675621-1.html
load 693894.html
load 695867.html
load 697643.html

24
js/xpconnect/src/dombindings.cpp
View File

@ -637,8 +637,12 @@ ListBase<LC>::getPropertyDescriptor(JSContext *cx, JSObject *proxy, jsid id, boo
return true;
if (xpc::WrapperFactory::IsXrayWrapper(proxy))
return resolveNativeName(cx, proxy, id, desc);
return JS_GetPropertyDescriptorById(cx, js::GetObjectProto(proxy), id, JSRESOLVE_QUALIFIED,
desc);
JSObject *proto = js::GetObjectProto(proxy);
if (!proto) {
desc->obj = NULL;
return true;
}
return JS_GetPropertyDescriptorById(cx, proto, id, JSRESOLVE_QUALIFIED, desc);
}
JSClass ExpandoClass = {
@ -858,7 +862,13 @@ ListBase<LC>::shouldCacheProtoShape(JSContext *cx, JSObject *proto, bool *should
}
}
return Base::shouldCacheProtoShape(cx, js::GetObjectProto(proto), shouldCache);
JSObject *protoProto = js::GetObjectProto(proto);
if (!protoProto) {
*shouldCache = false;
return true;
}
return Base::shouldCacheProtoShape(cx, protoProto, shouldCache);
}
template<class LC>
@ -928,7 +938,13 @@ ListBase<LC>::nativeGet(JSContext *cx, JSObject *proxy, JSObject *proto, jsid id
}
}
return Base::nativeGet(cx, proxy, js::GetObjectProto(proto), id, found, vp);
JSObject *protoProto = js::GetObjectProto(proto);
if (!protoProto) {
*found = false;
return true;
}
return Base::nativeGet(cx, proxy, protoProto, id, found, vp);
}
template<class LC>