Bug 1246215 - Guard against passing non-atoms and non-property names to LookupProperty; r=evilpie

--HG-- extra : rebase_source : 77a36f4d0b3c130428278f018095905b72ff0402
2016-03-01 10:48:52 -08:00 · 2016-03-01 10:48:52 -08:00 · a991215c95
--- a/js/src/jit-test/tests/debug/Object-forceLexicalInitializationByName.js
+++ b/js/src/jit-test/tests/debug/Object-forceLexicalInitializationByName.js
@ -17,7 +17,6 @@ function evalErrorStr(global, evalString) {


 assertEq(evalErrorStr(g, "let y = IDONTEXIST;"), "ReferenceError: IDONTEXIST is not defined");
-
 assertEq(evalErrorStr(g, "y = 1;"),
         "ReferenceError: can't access lexical declaration `y' before initialization");

@ -32,13 +31,22 @@ assertEq(g.evaluate("y"), 1);
 assertEq(gw.forceLexicalInitializationByName("idontexist"), false);
 assertEq(evalErrorStr(g, "idontexist"), "ReferenceError: idontexist is not defined");

+// Ensure that ropes (non-atoms) behave properly
+assertEq(gw.forceLexicalInitializationByName(("foo" + "bar" + "bop" + "zopple" + 2 + 3).slice(1)),
+                                             false);
+assertEq(evalErrorStr(g, "let oobarbopzopple23 = IDONTEXIST;"), "ReferenceError: IDONTEXIST is not defined");
+assertEq(gw.forceLexicalInitializationByName(("foo" + "bar" + "bop" + "zopple" + 2 + 3).slice(1)),
+                                             true);
+assertEq(g.evaluate("oobarbopzopple23"), undefined);
+
 // Ensure that only strings are accepted by forceLexicalInitializationByName
 const bad_types = [
    2112,
    {geddy: "lee"},
    () => 1,
    [],
-    Array
+    Array,
+    "'1'", // non-identifier
 ]

 for (var badType of bad_types) {
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@ -8055,22 +8055,23 @@ DebuggerObject_forceLexicalInitializationByName(JSContext *cx, unsigned argc, Va
        return false;
    }

-    PropertyName* name = args[0].toString()->asAtom().asPropertyName();
+    RootedId id(cx);
+    if (!ValueToIdentifier(cx, args[0], &id))
+        return false;
+
+    RootedObject pobj(cx);
+    RootedShape shape(cx);
+    if (!LookupProperty(cx, globalLexical, id, &pobj, &shape))
+        return false;

    bool initialized = false;
-
-    Shape* s = nullptr;
-    JSObject* scope = nullptr;
-    JSObject* pobj = nullptr;
-
-    if (LookupNameNoGC(cx, name, globalLexical, &scope, &pobj, &s)) {
-        Value v = globalLexical->as<NativeObject>().getSlot(s->slot());
-        if (s->hasSlot() && v.isMagic() && v.whyMagic() == JS_UNINITIALIZED_LEXICAL) {
-            globalLexical->as<NativeObject>().setSlot(s->slot(), UndefinedValue());
+    if (shape) {
+        Value v = globalLexical->as<NativeObject>().getSlot(shape->slot());
+        if (shape->hasSlot() && v.isMagic() && v.whyMagic() == JS_UNINITIALIZED_LEXICAL) {
+            globalLexical->as<NativeObject>().setSlot(shape->slot(), UndefinedValue());
            initialized = true;
-         }
+        }
    }
-
    args.rval().setBoolean(initialized);
    return true;
 }