Closed
Bug 1651000
Opened 4 years ago
Closed 4 years ago
CacheIR.cpp: Wrong null check in jit::NewWrapperWithObjectShape()
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla80
| Tracking | Status | |
|---|---|---|
| firefox80 | --- | fixed |
People
(Reporter: izbyshev, Assigned: jandem)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
obj is checked for NULL at https://searchfox.org/mozilla-central/rev/91d82d7c/js/src/jit/CacheIR.cpp#6834, but it seems like wrapper should be checked instead.
|
Reporter | |
Updated•4 years ago
|
Blocks: svace-analysis
|
||
Updated•4 years ago
|
Component: Source Code Analysis → JavaScript Engine: JIT
Flags: needinfo?(jdemooij)
Product: Firefox Build System → Core
|
Assignee | |
Comment 1•4 years ago
|
||
Found by static analysis.
I wish we didn't have these browser-specific optimizations. Maybe after Warp we
can make bigger changes to our object/proxy model and address this.
|
||
Updated•4 years ago
|
Assignee: nobody → jdemooij
|
|
Assignee | |
Comment 2•4 years ago
|
||
Thanks for the bug report!
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aa2d5c9aee45 Fix OOM check in NewWrapperWithObjectShape. r=iain
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox80:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
You need to log in
before you can comment on or make changes to this bug.
Description
•