Possible to crash SpiderMonkey in js_FindProperty()

RESOLVED INVALID

Status

()

Core
JavaScript Engine
--
critical
RESOLVED INVALID
14 years ago
13 years ago

People

(Reporter: Shanti Rao, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

14 years ago
User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Exiting out of a scope chain (maybe the root scope threw an exception?) it's
possible for js_FindProperty() to access an invalid pointer. Two problems:

It's possible for cx->fp->scopeChain to be null
It's possible for lastobj to be undefined

Easy fix:
JS_FRIEND_API(JSBool)
js_FindProperty(JSContext *cx, jsid id, JSObject **objp, JSObject **pobjp,
    JSProperty **propp)
{
  JSRuntime *rt;
  JSObject *obj, *pobj, *lastobj;
  JSScopeProperty *sprop;
  JSProperty *prop;

  rt = cx->runtime;
  obj = cx->fp->scopeChain;
>>> lastobj = obj;
>>> if (obj != NULL)
  do {

Reproducible: Always
Steps to Reproduce:

Comment 1

13 years ago
Timeless, could you look at comment #0? Link to LXR:
http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#2595
Comment 0 is confused.  The do-while loop iterates at least once, so after it
lastobj will be initialized (to the last obj reached by the parent chain).  It
sounds like shanti was seeing rooting or similar GC problems of some sort.  I do
not think this bug is valid, or particularly useful.

/be
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.