Closed Bug 620942 Opened 9 years ago Closed 8 years ago

jsshell Clear uses obj uninitalized when argc==0

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 749392

People

(Reporter: timeless, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: coverity)

For reference, this is the xpcshell impl:
678 Clear(JSContext *cx, uintN argc, jsval *vp)
679 {
680     if (argc > 0 && !JSVAL_IS_PRIMITIVE(JS_ARGV(cx, vp)[0])) {
681         JS_ClearScope(cx, JSVAL_TO_OBJECT(JS_ARGV(cx, vp)[0]));
682     } else {
683         JS_ReportError(cx, "'clear' requires an object");
684         return JS_FALSE;
685     }
686     JS_SET_RVAL(cx, vp, JSVAL_VOID);
687     return JS_TRUE;
688 }

And here's the ipcshell impl:
519 Clear(JSContext *cx,
520       uintN argc,
521       jsval *vp)
522 {
523     jsval *argv = JS_ARGV(cx, vp);
524     if (argc > 0 && !JSVAL_IS_PRIMITIVE(argv[0])) {
525         JS_ClearScope(cx, JSVAL_TO_OBJECT(argv[0]));
526     } else {
527         JS_ReportError(cx, "'clear' requires an object");
528         return JS_FALSE;
529     }
530     JS_SET_RVAL(cx, vp, JSVAL_VOID);
531     return JS_TRUE;
532 }

unfortunately, this is the jsshell impl:
2612 Clear(JSContext *cx, uintN argc, jsval *vp)
2613 {
2614     JSObject *obj;
note that if argc == 0, then we do not continue in the if condition:
2615     if (argc != 0 && !JS_ValueToObject(cx, JS_ARGV(cx, vp)[0], &obj))
which means we can't return false:
2616         return JS_FALSE;
instead, we use obj which has not been initialized
2617     JS_ClearScope(cx, obj);
2618     JS_SET_RVAL(cx, vp, JSVAL_VOID);
2619     return JS_TRUE;
2620 }

At least at beginning of time, clear() didn't say it required any arguments.
Clear was removed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 749392
You need to log in before you can comment on or make changes to this bug.