Bug 846: {get,set}Property check JS_InstanceOf without asserting.

The getProperty and setProperty functions of a JSClass must not assume
that the obj parameter points to an instance of that class.  It might
instead point to another object that merely has an instance of the
class in its prototype chain.  Thus, do not assert that JS_InstanceOf
returns true there.  Instead, run the check even with CONFIG_FASTMEM,
and just return JS_FALSE if it fails.

src/ecmascript/spidermonkey/document.c

@@ -80,8 +80,11 @@ document_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct document *document;
 	struct session *ses;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &document_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &document_class, NULL))
+		return JS_FALSE;
 	parent_win = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_win, (JSClass *) &window_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -177,8 +180,11 @@ document_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct document_view *doc_view;
 	struct document *document;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &document_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &document_class, NULL))
+		return JS_FALSE;
 	parent_win = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_win, (JSClass *) &window_class, NULL));
 	if_assert_failed return JS_FALSE;

src/ecmascript/spidermonkey/form.c

@@ -141,8 +141,11 @@ input_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	int linknum;
 	struct link *link = NULL;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &input_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &input_class, NULL))
+		return JS_FALSE;
 	parent_form = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_form, (JSClass *) &form_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -282,8 +285,11 @@ input_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct link *link = NULL;
 	unicode_val_T accesskey;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &input_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &input_class, NULL))
+		return JS_FALSE;
 	parent_form = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_form, (JSClass *) &form_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -582,8 +588,11 @@ form_elements_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct form_view *form_view;
 	struct form *form;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &form_elements_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &form_elements_class, NULL))
+		return JS_FALSE;
 	parent_form = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_form, (JSClass *) &form_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -789,8 +798,11 @@ form_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct form_view *fv;
 	struct form *form;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &form_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &form_class, NULL))
+		return JS_FALSE;
 	parent_doc = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_doc, (JSClass *) &document_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -911,8 +923,11 @@ form_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct form *form;
 	unsigned char *string;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &form_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &form_class, NULL))
+		return JS_FALSE;
 	parent_doc = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_doc, (JSClass *) &document_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -1101,8 +1116,11 @@ forms_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct document_view *doc_view;
 	struct document *document;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &forms_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &forms_class, NULL))
+		return JS_FALSE;
 	parent_doc = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_doc, (JSClass *) &document_class, NULL));
 	if_assert_failed return JS_FALSE;

src/ecmascript/spidermonkey/location.c

@@ -149,8 +149,11 @@ location_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	JSObject *parent_win;	/* instance of @window_class */
 	struct view_state *vs;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &location_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &location_class, NULL))
+		return JS_FALSE;
 	parent_win = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_win, (JSClass *) &window_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -182,8 +185,11 @@ location_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct view_state *vs;
 	struct document_view *doc_view;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &location_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &location_class, NULL))
+		return JS_FALSE;
 	parent_win = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_win, (JSClass *) &window_class, NULL));
 	if_assert_failed return JS_FALSE;

src/ecmascript/spidermonkey/unibar.c

@@ -82,9 +82,12 @@ unibar_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct session_status *status;
 	unsigned char *bar;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &menubar_class, NULL)
-	    || JS_InstanceOf(ctx, obj, (JSClass *) &statusbar_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of either
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &menubar_class, NULL)
+	 && !JS_InstanceOf(ctx, obj, (JSClass *) &statusbar_class, NULL))
+		return JS_FALSE;
 	parent_win = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_win, (JSClass *) &window_class, NULL));
 	if_assert_failed return JS_FALSE;
@@ -134,9 +137,12 @@ unibar_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct session_status *status;
 	unsigned char *bar;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &menubar_class, NULL)
-	    || JS_InstanceOf(ctx, obj, (JSClass *) &statusbar_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of either
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &menubar_class, NULL)
+	 && !JS_InstanceOf(ctx, obj, (JSClass *) &statusbar_class, NULL))
+		return JS_FALSE;
 	parent_win = JS_GetParent(ctx, obj);
 	assert(JS_InstanceOf(ctx, parent_win, (JSClass *) &window_class, NULL));
 	if_assert_failed return JS_FALSE;

src/ecmascript/spidermonkey/window.c

@@ -122,8 +122,11 @@ window_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct view_state *vs;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &window_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &window_class, NULL))
+		return JS_FALSE;
 
 	vs = JS_GetPrivate(ctx, obj); /* from @window_class */
 
@@ -246,8 +249,11 @@ window_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct view_state *vs;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &window_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &window_class, NULL))
+		return JS_FALSE;
 
 	vs = JS_GetPrivate(ctx, obj); /* from @window_class */
 

src/scripting/smjs/bookmarks.c

@@ -80,8 +80,11 @@ bookmark_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct bookmark *bookmark;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &bookmark_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &bookmark_class, NULL))
+		return JS_FALSE;
 
 	bookmark = JS_GetPrivate(ctx, obj); /* from @bookmark_class */
 
@@ -121,8 +124,11 @@ bookmark_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct bookmark *bookmark;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &bookmark_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &bookmark_class, NULL))
+		return JS_FALSE;
 
 	bookmark = JS_GetPrivate(ctx, obj); /* from @bookmark_class */
 
@@ -191,8 +197,11 @@ bookmark_folder_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	struct bookmark *folder;
 	unsigned char *title;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &bookmark_folder_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &bookmark_folder_class, NULL))
+		return JS_FALSE;
 
 	folder = JS_GetPrivate(ctx, obj); /* from @bookmark_folder_class */
 

src/scripting/smjs/cache_object.c

@@ -39,8 +39,11 @@ cache_entry_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct cache_entry *cached;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &cache_entry_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &cache_entry_class, NULL))
+		return JS_FALSE;
 
 	cached = JS_GetPrivate(ctx, obj); /* from @cache_entry_class */
 
@@ -96,8 +99,11 @@ cache_entry_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct cache_entry *cached;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &cache_entry_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &cache_entry_class, NULL))
+		return JS_FALSE;
 
 	cached = JS_GetPrivate(ctx, obj); /* from @cache_entry_class */
 

src/scripting/smjs/globhist.c

@@ -50,8 +50,11 @@ smjs_globhist_item_get_property(JSContext *ctx, JSObject *obj, jsval id,
 {
 	struct global_history_item *history_item;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &smjs_globhist_item_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &smjs_globhist_item_class, NULL))
+		return JS_FALSE;
 
 	history_item = JS_GetPrivate(ctx, obj); /* from @smjs_globhist_item_class */
 
@@ -107,8 +110,11 @@ smjs_globhist_item_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *
 {
 	struct global_history_item *history_item;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &smjs_globhist_item_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &smjs_globhist_item_class, NULL))
+		return JS_FALSE;
 
 	history_item = JS_GetPrivate(ctx, obj); /* from @smjs_globhist_item_class */
 

src/scripting/smjs/keybinding.c

@@ -23,8 +23,11 @@ keymap_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	const unsigned char *keystroke_str;
 	int *data;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &keymap_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &keymap_class, NULL))
+		return JS_FALSE;
 
 	data = JS_GetPrivate(ctx, obj); /* from @keymap_class */
 
@@ -74,8 +77,11 @@ keymap_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 	unsigned char *keymap_str;
 	const unsigned char *keystroke_str;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &keymap_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &keymap_class, NULL))
+		return JS_FALSE;
 
 	data = JS_GetPrivate(ctx, obj); /* from @keymap_class */
 

src/scripting/smjs/view_state_object.c

@@ -39,8 +39,11 @@ view_state_get_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct view_state *vs;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &view_state_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &view_state_class, NULL))
+		return JS_FALSE;
 
 	vs = JS_GetPrivate(ctx, obj); /* from @view_state_class */
 
@@ -73,8 +76,11 @@ view_state_set_property(JSContext *ctx, JSObject *obj, jsval id, jsval *vp)
 {
 	struct view_state *vs;
 
-	assert(JS_InstanceOf(ctx, obj, (JSClass *) &view_state_class, NULL));
-	if_assert_failed return JS_FALSE;
+	/* This can be called if @obj if not itself an instance of the
+	 * appropriate class but has one in its prototype chain.  Fail
+	 * such calls.  */
+	if (!JS_InstanceOf(ctx, obj, (JSClass *) &view_state_class, NULL))
+		return JS_FALSE;
 
 	vs = JS_GetPrivate(ctx, obj); /* from @view_state_class */