Closed Bug 1543166 Opened 6 months ago Closed 6 months ago

Missing nullptr check for |key| in IonBuilder::computeHeapType

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox67 + fixed
firefox68 --- fixed

People

(Reporter: jandem, Assigned: jandem)

Details

Attachments

(1 file)

getObject can return nullptr when the objects are stored in a HashSet, see shell test below.

function f() {
    var arr = [];
    for (var i = 0; i < 12; i++) {
        var g = newGlobal();
        var o = new g.FakeDOMObject();
        o[0] = 1;
        arr.push(o);
    }
    for (var i = 0; i < 3000; i++) {
        x = arr[i % arr.length][0];
    }
}
f();

getObject can return nullptr when the TypeSet uses a TypeHashSet for the objects.

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d12fd897acb7
Add missing null check in IonBuilder::computeHeapType. r=tcampbell

Comment on attachment 9057197 [details]
Bug 1543166 - Add missing null check in IonBuilder::computeHeapType. r?tcampbell!

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: Bug 1176406
  • User impact if declined: Old bug, but we've seen this cause crashes in the wild and it's a very safe fix.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very safe and small fix that makes the code match similar code elsewhere.
  • String changes made/needed: N/A
Attachment #9057197 - Flags: approval-mozilla-beta?

Comment on attachment 9057197 [details]
Bug 1543166 - Add missing null check in IonBuilder::computeHeapType. r?tcampbell!

Fix for potential crashes, low risk patch covered by tests, approved for 67 beta 10, thanks!

Attachment #9057197 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.