ma1 pushed to branch tor-browser-115.31.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: 61cd2d08 by Jon Coppeard at 2025-12-05T21:53:31+01:00 Bug 1995637 - Make sure debugger object gets traced when tracing breakpoints r=iain Breakpoints currently trace |wrappedDebugger| but this doesn't keep |debugger| alive if we have nuked the CCWs. The debugger has a linked list of breakpoints that each breakpoint is part of so we need to make sure it lives at least as long as that. The patch traces the debugger's object even if our CCW to it has been nuked. Differential Revision: https://phabricator.services.mozilla.com/D271062 - - - - - 274abcbe by moz-mdauer at 2025-12-05T22:07:49+01:00 Bug 1997639 - Set error on early returns, a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D270900 Differential Revision: https://phabricator.services.mozilla.com/D273984 - - - - - 3 changed files: - dom/webtransport/api/WebTransport.cpp - js/src/debugger/Debugger.cpp - + js/src/jit-test/tests/debug/bug-1995637.js Changes: ===================================== dom/webtransport/api/WebTransport.cpp ===================================== @@ -258,6 +258,7 @@ void WebTransport::Init(const GlobalObject& aGlobal, const nsAString& aURL, PBackgroundChild* backgroundChild = BackgroundChild::GetOrCreateForCurrentThread(); if (NS_WARN_IF(!backgroundChild)) { + aError.Throw(NS_ERROR_FAILURE); return; } @@ -276,11 +277,13 @@ void WebTransport::Init(const GlobalObject& aGlobal, const nsAString& aURL, RefPtr<WebTransportChild> child = new WebTransportChild(this); if (NS_IsMainThread()) { if (!childEndpoint.Bind(child)) { + aError.Throw(NS_ERROR_FAILURE); return; } } else { if (!childEndpoint.Bind(child, mGlobal->EventTargetFor(TaskCategory::Other))) { + aError.Throw(NS_ERROR_FAILURE); return; } } ===================================== js/src/debugger/Debugger.cpp ===================================== @@ -446,6 +446,9 @@ Breakpoint::Breakpoint(Debugger* debugger, HandleObject wrappedDebugger, void Breakpoint::trace(JSTracer* trc) { TraceEdge(trc, &wrappedDebugger, "breakpoint owner"); + // Trace the debugger object too in case |wrappedDebugger| got nuked. + TraceCrossCompartmentEdge(trc, wrappedDebugger, &debugger->object, + "breakpoint debugger object"); TraceEdge(trc, &handler, "breakpoint handler"); } ===================================== js/src/jit-test/tests/debug/bug-1995637.js ===================================== @@ -0,0 +1,66 @@ +// |jit-test| error: TypeError +gczeal(9,16); +function F1() { + if (!new.target) { throw 'must be called with new'; } + this.b = null; +} +new F1(); +new F1(); +function f5() {} +new BigUint64Array(3474); +function f14() {} +function f25(a26, a27) { + for (let i30 = 0, i31 = true; i31; i31--) { + function f37() { + function F38() {} + for (let i44 = 0, i45 = SharedArrayBuffer; i45; + (() => { + i45--; + Int8Array.principal = BigUint64Array; + function F50() {} + Int8Array.sameZoneAs = /wp(?:a?)+/imu; + const v54 = this.newGlobal(Int8Array); + const t7 = ({ __proto__: v54 }).Debugger; + const v57 = t7(F50); + const v59 = v57.getNewestFrame(i30, i45, i45, f25, v57).older; + v59.script.setBreakpoint(16, v59); + })()) {} + for (let [i134, i135] = (() => { + for (let i84 = 0, i85 = 10; i85; + (() => { + i85--; + for (let [i102, i103] = (() => { + for (let [i95, i96] = (() => { + new Uint8Array(); + return [0, 10]; + })(); i96; i96--) { + } + return [0, SharedArrayBuffer]; + })(); + i103; i103--) {} + for (let i113 = -4, i114 = 10; i114; i114--) {} + for (let i122 = 4, i123 = 10; i123--, i123; i123--) { + i123++; + } + })()) {} + return [0, SharedArrayBuffer]; + })(); + i135; i135--) { } + for (let i143 = 0, i144 = 10; i144; i144--) {} + } + f37.apply(); + } + for (let i153 = 0, i154 = 10; i154; i154--) {} + function F160(a162, a163) { + if (!new.target) { throw 'must be called with new'; } + this.c = a27; + this.h = a162; + } + new F160(234, a27); + const v167 = this.nukeAllCCWs(); + for (let i170 = 0, i171 = 10; i171; i171--) {} + try { + f25(); + } catch(e178) {} +} +f25(f25, f25); View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/2bbc0a4... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/2bbc0a4... You're receiving this email because of your account on gitlab.torproject.org.