Closed
Bug 304175
Opened 19 years ago
Closed 19 years ago
SET_SCOPE_INFO macro in DEBUG mode contains logical error
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: artemfrolov, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 ./mozilla/js/src/jslock.h:123 -------------- #define SET_SCOPE_INFO(scope_,file_,line_) \ ((scope_)->ownercx ? (void)0 : \ (JS_ASSERT((0 < (scope_)->u.count && (scope_)->u.count <= 4) || \ SCOPE_IS_SEALED(scope_)), \ (void)((scope_)->file[(scope_)->u.count-1] = (file_), \ (scope_)->line[(scope_)->u.count-1] = (line_)))) ------------ Arrays 'file' and 'line' of size 4 are accessed if index is within [0..3] range -OR- scope is sealed (2nd bit in flags is set). The problem with that is that if index is out of range and scope is sealed, then array bounds violation occurs. If this cannot happen (i.e. scope is sealed if and only if count is within [1..4] range), then scope seal check is redundant. Either way, this macro contains a logical error. Though this is array bounds violation this may not be a security problem, since this problem exists only in debug build. Reproducible: Always Expected Results: Consistent assertion. Found during testing of Klocwork K7 (http://www.klocwork.com/)
Comment 1•19 years ago
|
||
I don't see this code in the current version: http://lxr.mozilla.org/seamonkey/source/js/src/jslock.h It was removed in bug 246441: http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jslock.h&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.26&rev2=3.27
Severity: trivial → normal
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → 1.7 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•