Closed Bug 560137 Opened 10 years ago Closed 10 years ago

ImplicitConvert might pass null baseType to CType::TypesEqual

Categories

(Core :: js-ctypes, defect, P1, critical)

Product:
Core
Component:
js-ctypes
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: dwitte)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: coverity, crash, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

patch
949 bytes, patch
dwitte
: review+
Details | Diff | Splinter Review 
1616 ImplicitConvert(JSContext* cx,

1693     JSObject* baseType = PointerType::GetBaseType(cx, targetType);
1705       bool voidptrTarget = baseType &&

1708       if (sourceCode == TYPE_pointer && voidptrTarget) {
1713       if (sourceCode == TYPE_array) {
1717         if (voidptrTarget || CType::TypesEqual(cx, baseType, elementType)) {
Assignee: nobody → dwitte
Status: NEW → ASSIGNED
Priority: -- → P1
Attached patch patchSplinter Review
Assignee: dwitte → timeless
Attachment #439859 - Flags: review?(dwitte)
Comment on attachment 439859 [details] [diff] [review]
patch

>-    if (sourceData) {
>+    if (sourceData && baseType) {

The matching 'else if' clause also requires 'baseType' to be non-null, so you can just move the 'baseType' check to above this block thusly:

  if (!baseType) {
    JS_ReportError(cx, "cannot implicitly convert to opaque pointer type");
    return false;
  }

r=dwitte with that.
Attachment #439859 - Flags: review?(dwitte) → review+
This is fixed by the patch in bug 560002, which makes non-null baseType an invariant. Might as well wait for that to land so we don't stomp on each other.
Depends on: 560002
Fixed by bug 560002.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
Assignee: timeless → dwitte
You need to log in before you can comment on or make changes to this bug.