Closed Bug 576386 Opened 10 years ago Closed 10 years ago

AddPropertyHelper will crash under JS_UNLOCK_SCOPE when js_GetMutableScope fails

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- ?
status1.9.1 --- ?

People

(Reporter: timeless, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: coverity, crash, Whiteboard: [fixed-in-tracemonkey])

200 AddPropertyHelper(JSContext* cx, JSObject* obj, JSScopeProperty* sprop, bool isDefinitelyAtom)

205     JSScope* scope = obj->scope();

211         scope = js_GetMutableScope(cx, obj);
212         if (!scope)
213             goto exit_trace;

248   exit_trace:
249     JS_UNLOCK_SCOPE(cx, scope);
This also affects 1.9.1 and 1.9.2.
status1.9.1: --- → ?
status1.9.2: --- → ?
http://hg.mozilla.org/mozilla-central/rev/7243675d47f1
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.