Closed Bug 233023 Opened 20 years ago Closed 19 years ago

Possible to crash SpiderMonkey in js_FindProperty()

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED INVALID

People

(Reporter: shantirao, Unassigned)

Details

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Exiting out of a scope chain (maybe the root scope threw an exception?) it's
possible for js_FindProperty() to access an invalid pointer. Two problems:

It's possible for cx->fp->scopeChain to be null
It's possible for lastobj to be undefined

Easy fix:
JS_FRIEND_API(JSBool)
js_FindProperty(JSContext *cx, jsid id, JSObject **objp, JSObject **pobjp,
    JSProperty **propp)
{
  JSRuntime *rt;
  JSObject *obj, *pobj, *lastobj;
  JSScopeProperty *sprop;
  JSProperty *prop;

  rt = cx->runtime;
  obj = cx->fp->scopeChain;
>>> lastobj = obj;
>>> if (obj != NULL)
  do {

Reproducible: Always
Steps to Reproduce:
Timeless, could you look at comment #0? Link to LXR:
http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#2595
Comment 0 is confused.  The do-while loop iterates at least once, so after it
lastobj will be initialized (to the last obj reached by the parent chain).  It
sounds like shanti was seeing rooting or similar GC problems of some sort.  I do
not think this bug is valid, or particularly useful.

/be
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.