Closed Bug 1248420 Opened 8 years ago Closed 8 years ago

js::ArraySetLength should return false when getGroup returns nullptr.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: arai, Assigned: arai)

Details

Attachments

(1 file)

Handle JSObject::getGroup OOM in js::ArraySetLength.
1.63 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
Similar to bug 1248405, 

https://dxr.mozilla.org/mozilla-central/rev/e355cacefc881ba360d412853b57e8e060e966f4/js/src/jsarray.cpp#618
>         ObjectGroup* arrGroup = arr->getGroup(cx);
>         if (!arr->isIndexed() &&
>             !MOZ_UNLIKELY(!arrGroup || arrGroup->hasAllFlags(OBJECT_FLAG_ITERATED)))

it should return false immediately when !arrGroup.
just handled group == nullptr case.
Assignee: nobody → arai.unmht
Attachment #8719517 - Flags: review?(jdemooij)
Attachment #8719517 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/995ff53a4d50c9986e3475c1b4bc1ea8cc0f7aad
Bug 1248420 - Handle JSObject::getGroup OOM in js::ArraySetLength. r=jandem
https://hg.mozilla.org/mozilla-central/rev/995ff53a4d50
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox47: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: