зеркало из https://github.com/mozilla/gecko-dev.git
Bug 600193 - trace-test/tests/jaeger/bug588363-1.js asserts with CompartmentChecker enabled. r=gal.
This makes eval(s) an indirect eval if the eval-function being called is in a different compartment from the caller's scope chain. This caused the eval in trace-test/tests/jaeger/bug588363-2.js to become indirect, which caused the test to fail with a ReferenceError. So I changed the test to delete the sandbox's eval, revealing the global eval underneath.
This commit is contained in:
Родитель
57857fccb8
Коммит
817c40ae52
|
@ -1016,6 +1016,13 @@ obj_eval(JSContext *cx, uintN argc, Value *vp)
|
|||
jsbytecode *callerPC = caller->pc(cx);
|
||||
bool indirectCall = (callerPC && *callerPC != JSOP_EVAL);
|
||||
|
||||
/*
|
||||
* If the callee was originally a cross-compartment wrapper, this should
|
||||
* be an indirect call.
|
||||
*/
|
||||
if (caller->scopeChain().compartment() != vp[0].toObject().compartment())
|
||||
indirectCall = true;
|
||||
|
||||
/*
|
||||
* Ban indirect uses of eval (nonglobal.eval = eval; nonglobal.eval(....))
|
||||
* that attempt to use a non-global object as the scope object.
|
||||
|
@ -1250,6 +1257,8 @@ obj_eval(JSContext *cx, uintN argc, Value *vp)
|
|||
return JS_FALSE;
|
||||
}
|
||||
|
||||
assertSameCompartment(cx, scopeobj, script);
|
||||
|
||||
/*
|
||||
* Belt-and-braces: check that the lesser of eval's principals and the
|
||||
* caller's principals has access to scopeobj.
|
||||
|
@ -3114,6 +3123,8 @@ js_NewWithObject(JSContext *cx, JSObject *proto, JSObject *parent, jsint depth)
|
|||
if (!thisp)
|
||||
return NULL;
|
||||
|
||||
assertSameCompartment(cx, obj, thisp);
|
||||
|
||||
obj->setWithThis(thisp);
|
||||
return obj;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
with(evalcx('')) {
|
||||
eval("x", this.__defineGetter__("x", Function))
|
||||
delete eval;
|
||||
eval("x", this.__defineGetter__("x", Function));
|
||||
}
|
||||
|
||||
/* Don't assert or crash. */
|
||||
|
|
Загрузка…
Ссылка в новой задаче