Closed Bug 233023 Opened 22 years ago Closed 21 years ago

Possible to crash SpiderMonkey in js_FindProperty()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: shantirao, Unassigned)

Details

User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 Exiting out of a scope chain (maybe the root scope threw an exception?) it's possible for js_FindProperty() to access an invalid pointer. Two problems: It's possible for cx->fp->scopeChain to be null It's possible for lastobj to be undefined Easy fix: JS_FRIEND_API(JSBool) js_FindProperty(JSContext *cx, jsid id, JSObject **objp, JSObject **pobjp, JSProperty **propp) { JSRuntime *rt; JSObject *obj, *pobj, *lastobj; JSScopeProperty *sprop; JSProperty *prop; rt = cx->runtime; obj = cx->fp->scopeChain; >>> lastobj = obj; >>> if (obj != NULL) do { Reproducible: Always Steps to Reproduce:
Timeless, could you look at comment #0? Link to LXR: http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#2595
Comment 0 is confused. The do-while loop iterates at least once, so after it lastobj will be initialized (to the last obj reached by the parent chain). It sounds like shanti was seeing rooting or similar GC problems of some sort. I do not think this bug is valid, or particularly useful. /be
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.