SET_SCOPE_INFO macro in DEBUG mode contains logical error

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
14 years ago
13 years ago

People

(Reporter: artemfrolov, Unassigned)

Tracking

1.7 Branch
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

./mozilla/js/src/jslock.h:123
--------------
#define SET_SCOPE_INFO(scope_,file_,line_)                                    \
    ((scope_)->ownercx ? (void)0 :                                            \
     (JS_ASSERT((0 < (scope_)->u.count && (scope_)->u.count <= 4) ||          \
                SCOPE_IS_SEALED(scope_)),                                     \
      (void)((scope_)->file[(scope_)->u.count-1] = (file_),                   \
             (scope_)->line[(scope_)->u.count-1] = (line_))))
------------
Arrays 'file' and 'line' of size 4 are accessed if index is within [0..3] range
-OR- scope is sealed (2nd bit in flags is set). The problem with that is that if
index is out of range and scope is sealed, then array bounds violation occurs.

If this cannot happen (i.e. scope is sealed if and only if count is within
[1..4] range), then scope seal check is redundant.

Either way, this macro contains a logical error.

Though this is array bounds violation this may not be a security problem, since
this problem exists only in debug build.

Reproducible: Always



Expected Results:  
Consistent assertion.

Found during testing of Klocwork K7 (http://www.klocwork.com/)

Comment 1

13 years ago
I don't see this code in the current version:
http://lxr.mozilla.org/seamonkey/source/js/src/jslock.h

It was removed in bug 246441:
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jslock.h&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.26&rev2=3.27
Severity: trivial → normal
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME

Updated

13 years ago
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → 1.7 Branch
You need to log in before you can comment on or make changes to this bug.