Closed
Bug 620173
Opened 15 years ago
Closed 14 years ago
crash [@ Snapshot | GetIterator] because null check is inverted
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INVALID
People
(Reporter: timeless, Assigned: timeless)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, crash)
Crash Data
Attachments
(1 file)
|
1.09 KB,
patch
|
Details | Diff | Splinter Review |
619 GetIterator(JSContext *cx, JSObject *obj, uintN flags, Value *vp)
713 if (flags & JSITER_FOREACH) {
715 if (JS_LIKELY(obj != NULL) && !Snapshot<ValueEnumeration>(cx, obj, flags, &vals))
716 return false;
720 } else {
722 if (JS_LIKELY(obj != NULL) && !Snapshot<KeyEnumeration>(cx, obj, flags, &keys))
723 return false;
|
||
Comment 2•14 years ago
|
||
Comment on attachment 498586 [details] [diff] [review]
flip check
Review of attachment 498586 [details] [diff] [review]:
Is this really a bug? The code says:
> if (JS_LIKELY(obj != NULL) && !Snapshot<ValueEnumeration>(cx, obj, flags, &vals))
> return false;
which is a cryptic way of saying:
> if (JS_LIKELY(obj != NULL)) {
> if (!Snapshot<ValueEnumeration>(cx, obj, flags, &vals))
> return false;
> }
If obj is null, this is supposed to succeed (see the comment above this chunk of code: /* NB: for (var p in null) succeeds by iterating over no properties.*/). I think we're supposed to call VectorToValueIterator, passing NULL as the second parameter, to create an iterator that produces no property names.
If this is really a crash, supply the test case and I'll re-review (with less latency this time).
Attachment #498586 -
Flags: review?(jorendorff)
i don't want to think about this anymore.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
|
||
Updated•14 years ago
|
Crash Signature: [@ Snapshot | GetIterator]
|
||
Updated•7 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•