Closed
Bug 623441
Opened 15 years ago
Closed 15 years ago
JSCompartment::wrap missing oom check
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | .x+ |
People
(Reporter: luke, Assigned: luke)
References
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
2.19 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
Namely:
JetpackChild.cpp : ReportError
Handle.h : GetParent, CreateHandle
xpcconvert.cpp: NativeInterface2JSObject/CreateHolderIfNeeded
xpccomponents.cpp : CallOrConstruct, GetGlobalForObject
nsNPAPIPluggin.cpp: _evaluate
ObjectWrapperParent.cpp : jsval_from_PObjectWrapperParent
nsJSEnvironment.cpp : nsJSContext::SetProperty
nsDOMClassInfo.cpp : nsWindowSH::GetProperty
nsScriptableRegion.cpp : GetRects
dmandelin and I found these while investigating bug 605290: several of these flow into 'jsval' IDL outparams which would then explode in JSCompartment::wrap when it was called by GatherAndConvertOutparams in XPCNW::CallMethod fixing this will fix that bug.
|
Assignee | |
Comment 1•15 years ago
|
||
Oh duh, I just remembered while putting Scott to sleep that
JSVAL_IS_OBJECT === js::Value::isObjectOrNull
OBJECT_TO_JSVAL === js::Value::setObjectOrNull
so all the above cases aren't actually bugs. (For fatvals, I didn't want to change the semantics of these public API functions since that would effectively force embeddings (incl. mozilla) to do a whole-program data-flow analysis.)
So it looks like, for bug 605190, the princess is in another castle.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
|
|
Assignee | |
Updated•15 years ago
|
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
Assignee | |
Comment 2•15 years ago
|
||
Well, the bug isn't totally invalid; there is one pretty central site using the internal API which doesn't check for null.
Attachment #501760 -
Flags: review?(gal)
|
|
Assignee | |
Updated•15 years ago
|
Summary: there are a bunch of places NULL can flow into OBJECT_TO_JSVAL → JSCompartment::wrap missing oom check
|
||
Updated•15 years ago
|
blocking2.0: --- → .x
|
||
Updated•15 years ago
|
Attachment #501760 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 3•15 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
||
Comment 4•15 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•