Closed
Bug 233023
Opened 20 years ago
Closed 19 years ago
Possible to crash SpiderMonkey in js_FindProperty()
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INVALID
People
(Reporter: shantirao, Unassigned)
Details
User-Agent:
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
Exiting out of a scope chain (maybe the root scope threw an exception?) it's
possible for js_FindProperty() to access an invalid pointer. Two problems:
It's possible for cx->fp->scopeChain to be null
It's possible for lastobj to be undefined
Easy fix:
JS_FRIEND_API(JSBool)
js_FindProperty(JSContext *cx, jsid id, JSObject **objp, JSObject **pobjp,
JSProperty **propp)
{
JSRuntime *rt;
JSObject *obj, *pobj, *lastobj;
JSScopeProperty *sprop;
JSProperty *prop;
rt = cx->runtime;
obj = cx->fp->scopeChain;
>>> lastobj = obj;
>>> if (obj != NULL)
do {
Reproducible: Always
Steps to Reproduce:
Comment 1•19 years ago
|
||
Timeless, could you look at comment #0? Link to LXR: http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#2595
Comment 2•19 years ago
|
||
Comment 0 is confused. The do-while loop iterates at least once, so after it lastobj will be initialized (to the last obj reached by the parent chain). It sounds like shanti was seeing rooting or similar GC problems of some sort. I do not think this bug is valid, or particularly useful. /be
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•