Closed
Bug 378994
Opened 17 years ago
Closed 17 years ago
NULL pointer no check
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 342180
People
(Reporter: luntan1234, Unassigned)
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322) Build Identifier: js 1.6 js_DestroyContext call js_MarkScriptFilenames js_MarkScriptFilenames(JSRuntime *rt, uintN gcflags) { JSCList *head, *link; ScriptFilenamePrefix *sfp; if (gcflags & GC_KEEP_ATOMS) { JS_HashTableEnumerateEntries(rt->scriptFilenameTable, js_script_filename_marker, rt); } // no check if head is NULL for (head = &rt->scriptFilenamePrefixes, link = head->next; link != head; link = link->next) { sfp = (ScriptFilenamePrefix *) link; js_MarkScriptFilename(sfp->name); } } Reproducible: Always Steps to Reproduce: 1. 2. 3.
Comment 1•17 years ago
|
||
see also bug 342180, although that fixed it in another location (maybe not fixing it in your scenario)
Comment 2•17 years ago
|
||
li_jin: did you see a crash, or are you reporting something you think is a bug by inspection? head = &rt->something, and it's loop-invariant, so it cannot be null (or nearly null) unless rt is null. So I don't think this is a bug. Igor, can you check on comment 1's hypothesis that we need another rt->scriptFilenameTable null check? /be
Comment 3•17 years ago
|
||
(In reply to comment #2) > Igor, can you check on comment 1's hypothesis that we need another > rt->scriptFilenameTable null check? I do not see any problems here with looping over a circular list.
head->next maybe NULL I found reason is JS_CreateRuntime, param invalid JSRuntime* rt = JS_CreateRuntime(0); JSContext* cx = JS_CreateContext( rt, 8192 ); cause JS_CreateContext fail js_DestroyContext call js_MarkScriptFilenames head->next is NULL
this is reported against js1.6 ie 3.79.2.5 http://bonsai.mozilla.org/cvsblame.cgi?&file=/mozilla/js/src/jsscript.c&mark=1189&rev=3.79.2.5#1179 http://bonsai.mozilla.org/cvsblame.cgi?&file=/mozilla/js/src/jsscript.c&mark=1189&rev=SPIDERMONKEY_1_6_0_BRANCH#1179 this was fixed in 1.101 http://bonsai.mozilla.org/cvsblame.cgi?&file=/mozilla/js/src/jsscript.c&mark=1210,1218&rev=3.101#1205
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•