diff options
| author | Josh Matthews <josh@joshmatthews.net> | 2025-04-16 02:52:48 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-16 06:52:48 +0000 |
| commit | 9aa09d73b5d82406b0d922a30f30b65ffcf9eb96 (patch) | |
| tree | 3ef51c4910d03dce588b05704cadd0537fb037b2 | |
| parent | f5e6eb289af2507fa01a7926eff77d46c773b2c1 (diff) | |
| download | servo-9aa09d73b5d82406b0d922a30f30b65ffcf9eb96.tar.gz servo-9aa09d73b5d82406b0d922a30f30b65ffcf9eb96.zip | |
Fix crash when setting custom property on Location (#36494)
The JS engine uses types like `Handle<Maybe<PropertyDescriptor>>` in
various places and our automated bindings are not able to handle the
Maybe type. We have hand-written bindings that use outparams to indicate
a PropertyDescriptor value is actually the Nothing type, but that data
was getting lost when we passed the property descriptor to
SetPropertyIgnoringNamedGetter, which assumed that the property
descriptor was always valid.
Depends on https://github.com/servo/mozjs/pull/579.
Testing: Manual testing on testcase from
https://github.com/servo/servo/issues/34709, and new crashtest added.
Fixes: #34709
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
7 files changed, 21 insertions, 13 deletions
diff --git a/Cargo.lock b/Cargo.lock index e9af4b24fdd..fefafec532a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4673,7 +4673,7 @@ dependencies = [ [[package]] name = "mozjs" version = "0.14.1" -source = "git+https://github.com/servo/mozjs#e4d4f9ac06162fe2647078dc4be8c270b7219807" +source = "git+https://github.com/servo/mozjs#d1525dfaee22cc1ea9ee16c552cdeedaa9f20741" dependencies = [ "bindgen 0.71.1", "cc", @@ -4684,8 +4684,8 @@ dependencies = [ [[package]] name = "mozjs_sys" -version = "0.128.9-0" -source = "git+https://github.com/servo/mozjs#e4d4f9ac06162fe2647078dc4be8c270b7219807" +version = "0.128.9-1" +source = "git+https://github.com/servo/mozjs#d1525dfaee22cc1ea9ee16c552cdeedaa9f20741" dependencies = [ "bindgen 0.71.1", "cc", diff --git a/components/script_bindings/proxyhandler.rs b/components/script_bindings/proxyhandler.rs index 314d1369048..29da3e91a92 100644 --- a/components/script_bindings/proxyhandler.rs +++ b/components/script_bindings/proxyhandler.rs @@ -565,13 +565,18 @@ pub(crate) unsafe extern "C" fn maybe_cross_origin_set_rawcx<D: DomTypes>( return false; } + let own_desc_handle = own_desc.handle().into(); js::jsapi::SetPropertyIgnoringNamedGetter( *cx, proxy, id, v, receiver, - own_desc.handle().into(), + if is_none { + ptr::null() + } else { + &own_desc_handle + }, result, ) } diff --git a/tests/wpt/meta/html/browsers/history/the-location-interface/location-prototype-setting-same-origin-domain.sub.html.ini b/tests/wpt/meta/html/browsers/history/the-location-interface/location-prototype-setting-same-origin-domain.sub.html.ini deleted file mode 100644 index e94f347f6ee..00000000000 --- a/tests/wpt/meta/html/browsers/history/the-location-interface/location-prototype-setting-same-origin-domain.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[location-prototype-setting-same-origin-domain.sub.html] - [Same-origin-domain: setting the prototype to an empty object via __proto__ should throw a TypeError] - expected: FAIL diff --git a/tests/wpt/meta/html/browsers/history/the-location-interface/location-prototype-setting-same-origin.html.ini b/tests/wpt/meta/html/browsers/history/the-location-interface/location-prototype-setting-same-origin.html.ini deleted file mode 100644 index 7bf488f91f7..00000000000 --- a/tests/wpt/meta/html/browsers/history/the-location-interface/location-prototype-setting-same-origin.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[location-prototype-setting-same-origin.html] - [Same-origin: setting the prototype to an empty object via __proto__ should throw a TypeError] - expected: FAIL diff --git a/tests/wpt/meta/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/no-new-global.window.js.ini b/tests/wpt/meta/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/no-new-global.window.js.ini index e71fd79e31e..38cbf536604 100644 --- a/tests/wpt/meta/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/no-new-global.window.js.ini +++ b/tests/wpt/meta/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/no-new-global.window.js.ini @@ -1,6 +1,3 @@ [no-new-global.window.html] [BarProp maintains its prototype and properties through open()] expected: FAIL - - [Location maintains its prototype and properties through open()] - expected: FAIL diff --git a/tests/wpt/mozilla/meta/MANIFEST.json b/tests/wpt/mozilla/meta/MANIFEST.json index ce4e2b8200c..874da107470 100644 --- a/tests/wpt/mozilla/meta/MANIFEST.json +++ b/tests/wpt/mozilla/meta/MANIFEST.json @@ -23,6 +23,13 @@ {} ] ], + "location-set-crash.html": [ + "0b1695df79b0437fb644bfcb3ef09bc0eb906f1e", + [ + null, + {} + ] + ], "test-wait-crash.html": [ "2419da6af0c278a17b9ff974d4418f9e386ef3e0", [ diff --git a/tests/wpt/mozilla/tests/mozilla/location-set-crash.html b/tests/wpt/mozilla/tests/mozilla/location-set-crash.html new file mode 100644 index 00000000000..0b1695df79b --- /dev/null +++ b/tests/wpt/mozilla/tests/mozilla/location-set-crash.html @@ -0,0 +1,5 @@ +<html> +<script> + window.location.foo = () => {}; +</script> +</html> |