ma1 pushed to branch tor-browser-115.31.0esr-13.5-1 at The Tor Project / Applications / Tor Browser

Commits:

3 changed files:

Changes:

  • dom/webtransport/api/WebTransport.cpp
    ... ... @@ -258,6 +258,7 @@ void WebTransport::Init(const GlobalObject& aGlobal, const nsAString& aURL,
    258 258 
       PBackgroundChild* backgroundChild =
    259 259 
           BackgroundChild::GetOrCreateForCurrentThread();
    260 260 
       if (NS_WARN_IF(!backgroundChild)) {
    261 
    +    aError.Throw(NS_ERROR_FAILURE);
    261 262 
         return;
    262 263 
       }
    263 264
    ... ... @@ -276,11 +277,13 @@ void WebTransport::Init(const GlobalObject& aGlobal, const nsAString& aURL,
    276 277 
       RefPtr<WebTransportChild> child = new WebTransportChild(this);
    277 278 
       if (NS_IsMainThread()) {
    278 279 
         if (!childEndpoint.Bind(child)) {
    280 
    +      aError.Throw(NS_ERROR_FAILURE);
    279 281 
           return;
    280 282 
         }
    281 283 
       } else {
    282 284 
         if (!childEndpoint.Bind(child,
    283 285 
                                 mGlobal->EventTargetFor(TaskCategory::Other))) {
    286 
    +      aError.Throw(NS_ERROR_FAILURE);
    284 287 
           return;
    285 288 
         }
    286 289 
       }

  • js/src/debugger/Debugger.cpp
    ... ... @@ -446,6 +446,9 @@ Breakpoint::Breakpoint(Debugger* debugger, HandleObject wrappedDebugger,
    446 446
    447 447 
     void Breakpoint::trace(JSTracer* trc) {
    448 448 
       TraceEdge(trc, &wrappedDebugger, "breakpoint owner");
    449 
    +  // Trace the debugger object too in case |wrappedDebugger| got nuked.
    450 
    +  TraceCrossCompartmentEdge(trc, wrappedDebugger, &debugger->object,
    451 
    +                            "breakpoint debugger object");
    449 452 
       TraceEdge(trc, &handler, "breakpoint handler");
    450 453 
     }
    451 454

  • js/src/jit-test/tests/debug/bug-1995637.js
    1 
    +// |jit-test| error: TypeError
    2 
    +gczeal(9,16);
    3 
    +function F1() {
    4 
    +    if (!new.target) { throw 'must be called with new'; }
    5 
    +    this.b = null;
    6 
    +}
    7 
    +new F1();
    8 
    +new F1();
    9 
    +function f5() {}
    10 
    +new BigUint64Array(3474);
    11 
    +function f14() {}
    12 
    +function f25(a26, a27) {
    13 
    +    for (let i30 = 0, i31 = true; i31; i31--) {
    14 
    +        function f37() {
    15 
    +            function F38() {}
    16 
    +            for (let i44 = 0, i45 = SharedArrayBuffer; i45;
    17 
    +                (() => {
    18 
    +                    i45--;
    19 
    +                    Int8Array.principal = BigUint64Array;
    20 
    +                    function F50() {}
    21 
    +                    Int8Array.sameZoneAs = /wp(?:a?)+/imu;
    22 
    +                    const v54 = this.newGlobal(Int8Array);
    23 
    +                    const t7 = ({ __proto__: v54 }).Debugger;
    24 
    +                    const v57 = t7(F50);
    25 
    +                    const v59 = v57.getNewestFrame(i30, i45, i45, f25, v57).older;
    26 
    +                    v59.script.setBreakpoint(16, v59);
    27 
    +                })()) {}
    28 
    +            for (let [i134, i135] = (() => {
    29 
    +                    for (let i84 = 0, i85 = 10; i85;
    30 
    +                        (() => {
    31 
    +                            i85--;
    32 
    +                            for (let [i102, i103] = (() => {
    33 
    +                                    for (let [i95, i96] = (() => {
    34 
    +                                            new Uint8Array();
    35 
    +                                            return [0, 10];
    36 
    +                                        })(); i96; i96--) {
    37 
    +                                    }
    38 
    +                                    return [0, SharedArrayBuffer];
    39 
    +                                })();
    40 
    +                                i103; i103--) {}
    41 
    +                            for (let i113 = -4, i114 = 10; i114; i114--) {}
    42 
    +                            for (let i122 = 4, i123 = 10; i123--, i123; i123--) {
    43 
    +                                i123++;
    44 
    +                            }
    45 
    +                        })()) {}
    46 
    +                    return [0, SharedArrayBuffer];
    47 
    +                })();
    48 
    +                i135; i135--) {            }
    49 
    +            for (let i143 = 0, i144 = 10; i144; i144--) {}
    50 
    +        }
    51 
    +        f37.apply();
    52 
    +    }
    53 
    +    for (let i153 = 0, i154 = 10; i154; i154--) {}
    54 
    +    function F160(a162, a163) {
    55 
    +        if (!new.target) { throw 'must be called with new'; }
    56 
    +        this.c = a27;
    57 
    +        this.h = a162;
    58 
    +    }
    59 
    +    new F160(234, a27);
    60 
    +    const v167 = this.nukeAllCCWs();
    61 
    +    for (let i170 = 0, i171 = 10; i171; i171--) {}
    62 
    +    try {
    63 
    +        f25();
    64 
    +    } catch(e178) {}
    65 
    +}
    66 
    +f25(f25, f25);


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help Notification message regarding https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/2bbc0a4d9be8a111ab35a73891114922420de62f...274abcbe3f57ecc6ecd30837433246a2705ec720 at 1765031231