Closed
Bug 623441
Opened 10 years ago
Closed 10 years ago
JSCompartment::wrap missing oom check
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | .x+ |
People
(Reporter: luke, Assigned: luke)
References
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
2.19 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
Namely: JetpackChild.cpp : ReportError Handle.h : GetParent, CreateHandle xpcconvert.cpp: NativeInterface2JSObject/CreateHolderIfNeeded xpccomponents.cpp : CallOrConstruct, GetGlobalForObject nsNPAPIPluggin.cpp: _evaluate ObjectWrapperParent.cpp : jsval_from_PObjectWrapperParent nsJSEnvironment.cpp : nsJSContext::SetProperty nsDOMClassInfo.cpp : nsWindowSH::GetProperty nsScriptableRegion.cpp : GetRects dmandelin and I found these while investigating bug 605290: several of these flow into 'jsval' IDL outparams which would then explode in JSCompartment::wrap when it was called by GatherAndConvertOutparams in XPCNW::CallMethod fixing this will fix that bug.
|
Assignee | |
Comment 1•10 years ago
|
||
Oh duh, I just remembered while putting Scott to sleep that JSVAL_IS_OBJECT === js::Value::isObjectOrNull OBJECT_TO_JSVAL === js::Value::setObjectOrNull so all the above cases aren't actually bugs. (For fatvals, I didn't want to change the semantics of these public API functions since that would effectively force embeddings (incl. mozilla) to do a whole-program data-flow analysis.) So it looks like, for bug 605190, the princess is in another castle.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
|
|
Assignee | |
Updated•10 years ago
|
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
Assignee | |
Comment 2•10 years ago
|
||
Well, the bug isn't totally invalid; there is one pretty central site using the internal API which doesn't check for null.
Attachment #501760 -
Flags: review?(gal)
|
|
Assignee | |
Updated•10 years ago
|
Summary: there are a bunch of places NULL can flow into OBJECT_TO_JSVAL → JSCompartment::wrap missing oom check
|
||
Updated•10 years ago
|
blocking2.0: --- → .x
|
||
Updated•10 years ago
|
Attachment #501760 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 3•10 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/8a1715b0aeae
Whiteboard: fixed-in-tracemonkey
|
||
Comment 4•10 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/8a1715b0aeae
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•