Closed
Bug 568007
Opened 15 years ago
Closed 15 years ago
js_GetReservedSlot is too friendly to api abusers
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: timeless, Assigned: timeless)
References
Details
Attachments
(1 file)
|
701 bytes,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
Bug 560557 changed js_SetReservedSlot, and I have a patch in my tree to do the same for js_GetReservedSlot, but I neglected to post it there.
6239 js_SetReservedSlot(JSContext *cx, JSObject *obj, uint32 index, jsval v)
here we are fatal to api abusers (per bug 560557):
6249 JS_ASSERT(index < limit || ReservedSlotIndexOK(cx, obj, clasp, index, limit));
here we are fatal to api abusers:
6262 JS_ASSERT(slot < nslots);
6218 js_GetReservedSlot(JSContext *cx, JSObject *obj, uint32 index, jsval *vp)
here we seem to be coddling api abusers:
6229 if (index >= limit && !ReservedSlotIndexOK(cx, obj, clasp, index, limit))
6230 return false;
I think this case should also be fatal.
Jason Orendorff wrote:
> ... there's the question of how this
> function should behave when the index is out of range. Hence this bug.
...
> In fact we're probably more likely to hit this assertion due to a bad bug in
> SpiderMonkey than for any other reason, our internal reserved-slot uses being
> far more complicated than those of any embedding I've seen.
Brendan Eich wrote (in bug 560557 comment 4 about js_SetReservedSlot):
> I did this out of paranoia over our own internal uses, yes. These seem debugged
> now. Let's just assert as usual.
|
||
Updated•15 years ago
|
Attachment #447324 -
Flags: review?(jorendorff) → review+
|
|
||
Updated•15 years ago
|
Keywords: checkin-needed
|
||
Comment 2•15 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•