SET_SCOPE_INFO macro in DEBUG mode contains logical error

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
RESOLVED WORKSFORME
13 years ago
11 years ago

People

(Reporter: Artem Frolov, Unassigned)

Tracking

1.7 Branch
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

./mozilla/js/src/jslock.h:123
--------------
#define SET_SCOPE_INFO(scope_,file_,line_)                                    \
    ((scope_)->ownercx ? (void)0 :                                            \
     (JS_ASSERT((0 < (scope_)->u.count && (scope_)->u.count <= 4) ||          \
                SCOPE_IS_SEALED(scope_)),                                     \
      (void)((scope_)->file[(scope_)->u.count-1] = (file_),                   \
             (scope_)->line[(scope_)->u.count-1] = (line_))))
------------
Arrays 'file' and 'line' of size 4 are accessed if index is within [0..3] range
-OR- scope is sealed (2nd bit in flags is set). The problem with that is that if
index is out of range and scope is sealed, then array bounds violation occurs.

If this cannot happen (i.e. scope is sealed if and only if count is within
[1..4] range), then scope seal check is redundant.

Either way, this macro contains a logical error.

Though this is array bounds violation this may not be a security problem, since
this problem exists only in debug build.

Reproducible: Always



Expected Results:  
Consistent assertion.

Found during testing of Klocwork K7 (http://www.klocwork.com/)

Comment 1

12 years ago
I don't see this code in the current version:
http://lxr.mozilla.org/seamonkey/source/js/src/jslock.h

It was removed in bug 246441:
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jslock.h&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.26&rev2=3.27
Severity: trivial → normal
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → WORKSFORME

Updated

11 years ago
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → 1.7 Branch
You need to log in before you can comment on or make changes to this bug.