From 192497124e7cde747ade7bf89028586eea293be5 Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Thu, 12 Jan 2017 11:15:04 -0800
Subject: Custom toString() methods may delete annots.

In this case, we observe the destruction of the object, but have
unfortunately saved a pointer to it in a local variable.

BUG=679643

Review-Url: https://codereview.chromium.org/2628233002
---
 testing/resources/javascript/bug_679643.in         | 135 +++++++++++++++++++++
 .../resources/javascript/bug_679643_expected.txt   |   3 +
 2 files changed, 138 insertions(+)
 create mode 100644 testing/resources/javascript/bug_679643.in
 create mode 100644 testing/resources/javascript/bug_679643_expected.txt

(limited to 'testing/resources/javascript')

diff --git a/testing/resources/javascript/bug_679643.in b/testing/resources/javascript/bug_679643.in
new file mode 100644
index 0000000000..e9643860f7
--- /dev/null
+++ b/testing/resources/javascript/bug_679643.in
@@ -0,0 +1,135 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+  /AcroForm 4 0 R
+  /OpenAction 10 0 R
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Count 1
+  /Kids [
+    3 0 R
+  ]
+>>
+endobj
+% Page number 0.
+{{object 3 0}} <<
+  /Type /Page
+  /Parent 2 0 R
+  /Resources <<
+    /Font <</F1 15 0 R>>
+  >>
+  /Contents [21 0 R]
+  /MediaBox [0 0 612 792]
+  /Annots [7 0 R 8 0 R 9 0 R]
+>>
+endobj
+% Forms
+{{object 4 0}} <<
+  /XFA [
+    (xdp:xdp) 23 0 R
+    (form) 29 0 R
+    (</xdp:xdp>) 30 0 R
+  ]
+  /Fields [
+    5 0 R
+  ]
+>>
+endobj
+% Fields
+{{object 5 0}} <<
+  /T (MyField)
+  /Kids [
+    6 0 R
+  ]
+  /Rect [100 100 400 400]
+>>
+endobj
+{{object 6 0}} <<
+  /Parent 5 0 R
+  /FT /Btn
+  /Kids [
+    7 0 R
+    8 0 R
+    9 0 R
+  ]
+  /Rect [200 200 220 220]
+>>
+endobj
+{{object 7 0}} <<
+  /Parent 6 0 R
+  /Type /Annot
+  /Subtype /Widget
+  /Rect [220 220 240 240]
+>>
+endobj
+{{object 8 0}} <<
+  /Parent 6 0 R
+  /Type /Annot
+  /Subtype /Widget
+  /Rect [240 240 260 260]
+>>
+endobj
+{{object 9 0}} <<
+  /Parent 6 0 R
+  /Type /Annot
+  /Subtype /Widget
+  /Rect [240 240 260 260]
+>>
+endobj
+% OpenAction action
+{{object 10 0}} <<
+  /Type /Action
+  /S /JavaScript
+  /JS 11 0 R
+>>
+endobj
+% JS program to exexute
+{{object 11 0}} <<
+>>
+stream
+var theName = "MyField";
+function Mangles() {
+  app.alert('Starting ...');
+  try {
+    var annots = this.getAnnots();
+    annots[0].name = {
+      toString: () => {
+        app.alert('Firing ...');
+        this.removeField(theName);
+        gc();
+        return false;
+      }
+    };
+  } catch (e) {
+    app.alert("failed: " + e);
+  }
+}
+Mangles();
+endstream
+endobj
+{{object 23 0}} <<
+>>stream
+<?xml version="1.0" encoding="UTF-8"?>
+<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
+endstream
+endobj
+{{object 29 0}} <<
+>>stream
+<config></config>
+<template></template>
+endstream
+endobj
+{{object 30 0}} <<
+>>stream
+</xdp:xdp>
+endstream
+endobj
+{{xref}}
+trailer <<
+  /Root 1 0 R
+>>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/javascript/bug_679643_expected.txt b/testing/resources/javascript/bug_679643_expected.txt
new file mode 100644
index 0000000000..36d4a31344
--- /dev/null
+++ b/testing/resources/javascript/bug_679643_expected.txt
@@ -0,0 +1,3 @@
+Alert: Starting ...
+Alert: Firing ...
+Alert: failed: Annot.name: Object no longer exists.
-- 
cgit v1.2.3