`FirstSubsumedFrame::operator=(&&)` (`js/public/Stack.h`) leaks the object's `principals` member (code from `FIREFOX_123_0_1_RELEASE`):
```
150: FirstSubsumedFrame& operator=(FirstSubsumedFrame&& rhs) {
151: new (this) FirstSubsumedFrame(std::move(rhs));
152: return *this;
144: FirstSubsumedFrame(FirstSubsumedFrame&& rhs)
145: : principals(rhs.principals), ignoreSelfHosted(rhs.ignoreSelfHosted) {
146: MOZ_ASSERT(this != &rhs, "self move disallowed");
147: rhs.principals = nullptr;
148: }
```
because it doesn't drop `principals` before creating a new object from `rhs`. This usage might also invoke UB because the class depends upon the destructor's side-effects. (See C++20 draft spec n4750 s.6.6.3(5).)
```
155: ~FirstSubsumedFrame() {
156: if (principals) {
157: JS_DropPrincipals(cx, principals);
158: }
159: }
```
Searchfox says that this function isn't called.
Reported as a security bug because of the potential UB.
Bug 1884268 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
`FirstSubsumedFrame::operator=(&&)` (`js/public/Stack.h`) leaks the object's `principals` member (code from `FIREFOX_123_0_1_RELEASE`):
```
150: FirstSubsumedFrame& operator=(FirstSubsumedFrame&& rhs) {
151: new (this) FirstSubsumedFrame(std::move(rhs));
152: return *this;
144: FirstSubsumedFrame(FirstSubsumedFrame&& rhs)
145: : principals(rhs.principals), ignoreSelfHosted(rhs.ignoreSelfHosted) {
146: MOZ_ASSERT(this != &rhs, "self move disallowed");
147: rhs.principals = nullptr;
148: }
```
because it doesn't drop `principals` before creating a new object from `rhs`. This usage might also invoke UB because the class depends upon the destructor's side-effects. (See C++20 draft spec n4750 s.6.6.3(5).)
```
155: ~FirstSubsumedFrame() {
156: if (principals) {
157: JS_DropPrincipals(cx, principals);
158: }
159: }
```
Searchfox says that `operator= (&&)` isn't called.
Reported as a security bug because of the potential UB.