Fix crash when enumerating properties of global object (#36491)

These changes make our implementation of the enumeration hook for globals [match Gecko's](https://searchfox.org/mozilla-central/rev/1f65969e57c757146e3e548614b49d3a4168eeb8/dom/base/nsGlobalWindowInner.cpp#3297), fixing an assertion failure that occurred in the previous implementation. Our enumeration hook is supposed to fill a vector with names of properties on the global object without modifying the global in any way; instead we were defining all of the missing webidl interfaces. We now do much less work and crash less. Testing: New crashtest based on manual testcase. Fixes: #34686 --------- Signed-off-by: Josh Matthews <josh@joshmatthews.net>
2025-08-13 09:25:32 +01:00 · 2025-04-16 23:32:53 -04:00 · 2025-04-16 23:32:53 -04:00 · 30390f8c5e
commit 30390f8c5e
parent a1b9949f75
9 changed files with 98 additions and 34 deletions
--- a/tests/wpt/mozilla/meta/MANIFEST.json
+++ b/tests/wpt/mozilla/meta/MANIFEST.json
@ -16,6 +16,13 @@
      {}
     ]
    ],
+    "global-enumerate-crash.html": [
+     "a77e79b1465bf7555340dd5e9bf94a4c8caa85f2",
+     [
+      null,
+      {}
+     ]
+    ],
    "iframe_focus-crash.html": [
     "f991b1a563f3cc44870640ab194708fa239ad89d",
     [
@ -13517,7 +13524,7 @@
     ]
    ],
    "interfaces.worker.js": [
-     "8d109502622fac7266a4564de09684a3ab94118c",
+     "8af942c0f99218fb39770cdcf299eaa230339010",
     [
      "mozilla/interfaces.worker.html",
      {}
--- a/tests/wpt/mozilla/tests/mozilla/global-enumerate-crash.html
+++ b/tests/wpt/mozilla/tests/mozilla/global-enumerate-crash.html
@ -0,0 +1,15 @@
+<html class=test-wait>
+  <body>
+    <iframe id="if"></iframe>
+    <script>
+          const frame = document.getElementById('if').contentWindow;
+          for (const i of Object.getOwnPropertyNames(frame)) {
+            try {
+              frame[i]['foo'];
+            } catch (e) {
+            }
+          }
+          document.documentElement.classList.remove("test-wait");
+    </script>
+  </body>
+</html>
--- a/tests/wpt/mozilla/tests/mozilla/interfaces.worker.js
+++ b/tests/wpt/mozilla/tests/mozilla/interfaces.worker.js
@ -107,6 +107,7 @@ test_interfaces([
  "Response",
  "SecurityPolicyViolationEvent",
  "ServiceWorkerContainer",
+  "SVGRect",
  "TextDecoder",
  "TextEncoder",
  "TrustedHTML",
@ -128,6 +129,7 @@ test_interfaces([
  "WebGLShaderPrecisionFormat",
  "WebGLTexture",
  "WebGLUniformLocation",
+  "WebKitCSSMatrix",
  "WebSocket",
  "WeakRef",
  "Worker",