Last Comment Bug 575024 - JSObject::resizeDenseArrayElements comparison is always false due to limited range of data type
: JSObject::resizeDenseArrayElements comparison is always false due to limited ...
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
Depends on:
Blocks: 560774 CVE-2010-3777
  Show dependency treegraph
 
Reported: 2010-06-26 19:13 PDT by timeless
Modified: 2011-01-11 23:23 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
betaN+
.13-fixed
.17-fixed


Attachments
patch (569 bytes, patch)
2010-06-26 19:17 PDT, timeless
dvander: review+
christian: approval1.9.2.13+
dveditz: approval1.9.1.16-
Details | Diff | Review
1.9.1 port (1.55 KB, patch)
2010-12-01 17:56 PST, Daniel Veditz [:dveditz]
dveditz: review+
dveditz: approval1.9.1.17+
Details | Diff | Review

Description timeless 2010-06-26 19:13:47 PDT
js/src/jsarray.cpp: In member function ‘bool JSObject::resizeDenseArrayElements(JSContext*, uint32, uint32, bool)’:
340: warning: comparison is always false due to limited range of data type
Comment 1 timeless 2010-06-26 19:17:08 PDT
Created attachment 454320 [details] [diff] [review]
patch
Comment 3 Daniel Veditz [:dveditz] 2010-10-19 14:03:52 PDT
Comment on attachment 454320 [details] [diff] [review]
patch

Nice safe stability win for branches.
Comment 4 Daniel Veditz [:dveditz] 2010-11-18 19:58:39 PST
Comment on attachment 454320 [details] [diff] [review]
patch

patch doesn't apply on 1.9.1 because, trivially, the param was called "size" rather than "newlen", but also there is no MAX_DSLOTS_LENGTH32. Also the function patched is static ResizeSlots() rather than JSObject::resizeDesnseArrayElements() but that probably doesn't matter.
Comment 5 Reed Loden [:reed] (use needinfo?) 2010-11-19 01:38:57 PST
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1207bf8fed24
Comment 6 Daniel Veditz [:dveditz] 2010-12-01 17:56:49 PST
Created attachment 494601 [details] [diff] [review]
1.9.1 port
Comment 7 Daniel Veditz [:dveditz] 2010-12-01 18:00:01 PST
Comment on attachment 494601 [details] [diff] [review]
1.9.1 port

Got verbal r+ from dvander
Comment 8 Daniel Veditz [:dveditz] 2010-12-02 18:28:12 PST
Comment on attachment 494601 [details] [diff] [review]
1.9.1 port

Not going to respin 1.9.1.16 so .17 it is.
Comment 9 Daniel Veditz [:dveditz] 2010-12-10 10:50:07 PST
reassigning to myself so i remember to land it this time.
Comment 10 Daniel Veditz [:dveditz] 2011-01-11 23:23:14 PST
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ed88e6a66ef9

Note You need to log in before you can comment on or make changes to this bug.