304175 - SET_SCOPE_INFO macro in DEBUG mode contains logical error

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Artem Frolov]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

./mozilla/js/src/jslock.h:123
--------------
#define SET_SCOPE_INFO(scope_,file_,line_)                                    \
    ((scope_)->ownercx ? (void)0 :                                            \
     (JS_ASSERT((0 < (scope_)->u.count && (scope_)->u.count <= 4) ||          \
                SCOPE_IS_SEALED(scope_)),                                     \
      (void)((scope_)->file[(scope_)->u.count-1] = (file_),                   \
             (scope_)->line[(scope_)->u.count-1] = (line_))))
------------
Arrays 'file' and 'line' of size 4 are accessed if index is within [0..3] range
-OR- scope is sealed (2nd bit in flags is set). The problem with that is that if
index is out of range and scope is sealed, then array bounds violation occurs.

If this cannot happen (i.e. scope is sealed if and only if count is within
[1..4] range), then scope seal check is redundant.

Either way, this macro contains a logical error.

Though this is array bounds violation this may not be a security problem, since
this problem exists only in debug build.

Reproducible: Always



Expected Results:  
Consistent assertion.

Found during testing of Klocwork K7 (http://www.klocwork.com/)

Comment 1

[Nickolay_Ponomarev]

I don't see this code in the current version:
http://lxr.mozilla.org/seamonkey/source/js/src/jslock.h

It was removed in bug 246441:
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jslock.h&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.26&rev2=3.27