Closed Bug 558609 Opened 10 years ago Closed 10 years ago

TM: Segfault with simple test case involving arguments

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: dvander, Assigned: brendan)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 1 obsolete file)

Problem is it's using aobj.length to read from fp->argv, even if fp->argc < aobj.length.

From looking at the old code, something like this?
Attachment #438303 - Flags: review?(brendan)
Attachment #438300 - Attachment is patch: false
Simpler patch in a sec.

/be
Attached patch one-line fixSplinter Review
David, thanks for fielding this one -- I think you can r+ and I'll get it in. Igor is welcome to review as well.

Nick, sorry but here is yet another IsOverriddenArgsLength call that needs to be revised in your patch to invoke isArgsLengthOverridden.

/be
Assignee: general → brendan
Attachment #438303 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #438305 - Flags: review?(dvander)
Attachment #438303 - Flags: review?(brendan)
Attachment #438305 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/2656a80f2bbd
http://hg.mozilla.org/mozilla-central/rev/5ae0999d2502

/be
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
Group: core-security
You need to log in before you can comment on or make changes to this bug.