Commits:
-
61cd2d08
by Jon Coppeard at 2025-12-05T21:53:31+01:00
Bug 1995637 - Make sure debugger object gets traced when tracing breakpoints r=iain
Breakpoints currently trace |wrappedDebugger| but this doesn't keep |debugger|
alive if we have nuked the CCWs. The debugger has a linked list of breakpoints that
each breakpoint is part of so we need to make sure it lives at least as long as
that.
The patch traces the debugger's object even if our CCW to it has been nuked.
Differential Revision: https://phabricator.services.mozilla.com/D271062
-
274abcbe
by moz-mdauer at 2025-12-05T22:07:49+01:00
Bug 1997639 - Set error on early returns, a=dmeehan
Original Revision: https://phabricator.services.mozilla.com/D270900
Differential Revision: https://phabricator.services.mozilla.com/D273984
3 changed files:
Changes:
dom/webtransport/api/WebTransport.cpp
| ... |
... |
@@ -258,6 +258,7 @@ void WebTransport::Init(const GlobalObject& aGlobal, const nsAString& aURL, |
|
258
|
258
|
PBackgroundChild* backgroundChild =
|
|
259
|
259
|
BackgroundChild::GetOrCreateForCurrentThread();
|
|
260
|
260
|
if (NS_WARN_IF(!backgroundChild)) {
|
|
|
261
|
+ aError.Throw(NS_ERROR_FAILURE);
|
|
261
|
262
|
return;
|
|
262
|
263
|
}
|
|
263
|
264
|
|
| ... |
... |
@@ -276,11 +277,13 @@ void WebTransport::Init(const GlobalObject& aGlobal, const nsAString& aURL, |
|
276
|
277
|
RefPtr<WebTransportChild> child = new WebTransportChild(this);
|
|
277
|
278
|
if (NS_IsMainThread()) {
|
|
278
|
279
|
if (!childEndpoint.Bind(child)) {
|
|
|
280
|
+ aError.Throw(NS_ERROR_FAILURE);
|
|
279
|
281
|
return;
|
|
280
|
282
|
}
|
|
281
|
283
|
} else {
|
|
282
|
284
|
if (!childEndpoint.Bind(child,
|
|
283
|
285
|
mGlobal->EventTargetFor(TaskCategory::Other))) {
|
|
|
286
|
+ aError.Throw(NS_ERROR_FAILURE);
|
|
284
|
287
|
return;
|
|
285
|
288
|
}
|
|
286
|
289
|
}
|
js/src/debugger/Debugger.cpp
| ... |
... |
@@ -446,6 +446,9 @@ Breakpoint::Breakpoint(Debugger* debugger, HandleObject wrappedDebugger, |
|
446
|
446
|
|
|
447
|
447
|
void Breakpoint::trace(JSTracer* trc) {
|
|
448
|
448
|
TraceEdge(trc, &wrappedDebugger, "breakpoint owner");
|
|
|
449
|
+ // Trace the debugger object too in case |wrappedDebugger| got nuked.
|
|
|
450
|
+ TraceCrossCompartmentEdge(trc, wrappedDebugger, &debugger->object,
|
|
|
451
|
+ "breakpoint debugger object");
|
|
449
|
452
|
TraceEdge(trc, &handler, "breakpoint handler");
|
|
450
|
453
|
}
|
|
451
|
454
|
|
js/src/jit-test/tests/debug/bug-1995637.js
|
|
1
|
+// |jit-test| error: TypeError
|
|
|
2
|
+gczeal(9,16);
|
|
|
3
|
+function F1() {
|
|
|
4
|
+ if (!new.target) { throw 'must be called with new'; }
|
|
|
5
|
+ this.b = null;
|
|
|
6
|
+}
|
|
|
7
|
+new F1();
|
|
|
8
|
+new F1();
|
|
|
9
|
+function f5() {}
|
|
|
10
|
+new BigUint64Array(3474);
|
|
|
11
|
+function f14() {}
|
|
|
12
|
+function f25(a26, a27) {
|
|
|
13
|
+ for (let i30 = 0, i31 = true; i31; i31--) {
|
|
|
14
|
+ function f37() {
|
|
|
15
|
+ function F38() {}
|
|
|
16
|
+ for (let i44 = 0, i45 = SharedArrayBuffer; i45;
|
|
|
17
|
+ (() => {
|
|
|
18
|
+ i45--;
|
|
|
19
|
+ Int8Array.principal = BigUint64Array;
|
|
|
20
|
+ function F50() {}
|
|
|
21
|
+ Int8Array.sameZoneAs = /wp(?:a?)+/imu;
|
|
|
22
|
+ const v54 = this.newGlobal(Int8Array);
|
|
|
23
|
+ const t7 = ({ __proto__: v54 }).Debugger;
|
|
|
24
|
+ const v57 = t7(F50);
|
|
|
25
|
+ const v59 = v57.getNewestFrame(i30, i45, i45, f25, v57).older;
|
|
|
26
|
+ v59.script.setBreakpoint(16, v59);
|
|
|
27
|
+ })()) {}
|
|
|
28
|
+ for (let [i134, i135] = (() => {
|
|
|
29
|
+ for (let i84 = 0, i85 = 10; i85;
|
|
|
30
|
+ (() => {
|
|
|
31
|
+ i85--;
|
|
|
32
|
+ for (let [i102, i103] = (() => {
|
|
|
33
|
+ for (let [i95, i96] = (() => {
|
|
|
34
|
+ new Uint8Array();
|
|
|
35
|
+ return [0, 10];
|
|
|
36
|
+ })(); i96; i96--) {
|
|
|
37
|
+ }
|
|
|
38
|
+ return [0, SharedArrayBuffer];
|
|
|
39
|
+ })();
|
|
|
40
|
+ i103; i103--) {}
|
|
|
41
|
+ for (let i113 = -4, i114 = 10; i114; i114--) {}
|
|
|
42
|
+ for (let i122 = 4, i123 = 10; i123--, i123; i123--) {
|
|
|
43
|
+ i123++;
|
|
|
44
|
+ }
|
|
|
45
|
+ })()) {}
|
|
|
46
|
+ return [0, SharedArrayBuffer];
|
|
|
47
|
+ })();
|
|
|
48
|
+ i135; i135--) { }
|
|
|
49
|
+ for (let i143 = 0, i144 = 10; i144; i144--) {}
|
|
|
50
|
+ }
|
|
|
51
|
+ f37.apply();
|
|
|
52
|
+ }
|
|
|
53
|
+ for (let i153 = 0, i154 = 10; i154; i154--) {}
|
|
|
54
|
+ function F160(a162, a163) {
|
|
|
55
|
+ if (!new.target) { throw 'must be called with new'; }
|
|
|
56
|
+ this.c = a27;
|
|
|
57
|
+ this.h = a162;
|
|
|
58
|
+ }
|
|
|
59
|
+ new F160(234, a27);
|
|
|
60
|
+ const v167 = this.nukeAllCCWs();
|
|
|
61
|
+ for (let i170 = 0, i171 = 10; i171; i171--) {}
|
|
|
62
|
+ try {
|
|
|
63
|
+ f25();
|
|
|
64
|
+ } catch(e178) {}
|
|
|
65
|
+}
|
|
|
66
|
+f25(f25, f25); |
|