1037898 - CID 1136430: Out-of-bounds access as found by Coverity

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

+++ This bug was initially created as a clone of Bug #1037890 +++

Coverity analysis of source code in js/src has found an Out-of-bounds access.


3656    if (!typeScript)
3657        return false;
3658
3659    new(typeScript) TypeScript();
3660
    
2. derived_to_base: Converting derived class pointer typeScript->typeArray() of type js::types::ConstraintTypeSet * (24 bytes) to base class pointer type js::types::TypeSet * (16 bytes).
    
3. assign: Assigning: typeArray = typeScript->typeArray().
3661    TypeSet *typeArray = typeScript->typeArray();
3662
    
4. Condition i < count, taking true branch
3663    for (unsigned i = 0; i < count; i++)
    
CID 1136430 (#1 of 1): Out-of-bounds access (ARRAY_VS_SINGLETON)5. ptr_arith: Using typeArray as an array. This might corrupt or misinterpret adjacent memory locations.
3664        new (&typeArray[i]) StackTypeSet();
3665
3666    types = typeScript;

in file js/src/jsinfer.cpp .

Jan, any thoughts on how to move forward here? (not sure how bad this is, so setting s-s first.)

Comment 1

[Jan de Mooij [:jandem]]

Clever find. TypeScript is zero-initialized and the TypeSet/StackTypeSet constructors also write zero so I *think* this is harmless atm.

Looks like

TypeSet *typeArray = typeScript->typeArray();

Should be StackTypeSet *typeArray.

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

Yeah, this is harmless.

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2f62414fe13f

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/2f62414fe13f