Bug 1706937 - Handle nuked CCWs in JS shell source element hook. r=jandem

While the shell uses a private value on the ScriptSourceObject that always has an "element" property, due to CCW nuking we may wind up with a dead-proxy object instead. Handle this case explicitly to avoid failing asserts below. Differential Revision: https://phabricator.services.mozilla.com/D113876
2021-05-03 20:08:06 +00:00 · 2021-05-03 20:08:06 +00:00 · be9de47e53
--- a/js/src/jit-test/tests/debug/bug1706937.js
+++ b/js/src/jit-test/tests/debug/bug1706937.js
@ -0,0 +1,14 @@
+
+let g = newGlobal({newCompartment: true});
+let d = new Debugger(g);
+
+g.eval("")
+let script = d.findScripts()[0];
+
+nukeAllCCWs()
+
+// A DeadProxyObject accessing the source-object should not crash.
+try {
+  let element = script.source.element;
+} catch (e) {
+}
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@ -141,6 +141,7 @@
 #include "js/Warnings.h"     // JS::SetWarningReporter
 #include "js/WasmModule.h"   // JS::WasmModule
 #include "js/Wrapper.h"
+#include "proxy/DeadObjectProxy.h"  // js::IsDeadProxyObject
 #include "shell/jsoptparse.h"
 #include "shell/jsshell.h"
 #include "shell/OSObject.h"
@ -4722,6 +4723,13 @@ JSObject* GetElementCallback(JSContext* cx, JS::HandleValue value) {
    return nullptr;
  }

+  // Due to nukeCCW shenanigans in the shell, we need to check for dead-proxy
+  // objects that may have replaced an CCW.  Otherwise the GetProperty below
+  // would throw an exception which we do not want to support in this callback.
+  if (js::IsDeadProxyObject(&privateValue.toObject())) {
+    return nullptr;
+  }
+
  RootedObject infoObject(cx,
                          CheckedUnwrapStatic(privateValue.toObjectOrNull()));
  AutoRealm ar(cx, infoObject);
@ -4737,6 +4745,7 @@ JSObject* GetElementCallback(JSContext* cx, JS::HandleValue value) {
  if (elementValue.isObject()) {
    return &elementValue.toObject();
  }
+
  return nullptr;
 }