Closed
Bug 631467
Opened 15 years ago
Closed 14 years ago
NULL dereference of jsdc->dumbContext
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sfink, Unassigned)
Details
(Whiteboard: [fixed-in-tracemonkey])
Attachments
(1 file, 1 obsolete file)
|
1.87 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
In _newJSDContext() inside of jsd_high.c, there are a couple of issues:
1. If JS_NewContext() fails and returns NULL, we'll goto label_newJSDContext_failure and end up calling JS_EndRequest(NULL), which will do a NULL ptr dereference.
2. The |if( call )| test is redundant. If call were NULL, we would've already jumped to the error label.
3. call = JS_EnterCrossCompartmentCall(jsdc->dumbContext, jsdc->glob) is a no-op. jsdc->dumbContext is already guaranteed to be in the same compartment as jsdc->glob, since the compartment and global were just created a few lines earlier. This comes from bug 600580.
The only thing I see that could possibly be in a foreign compartment here is scopeobj, but currently it's unused. Also, all callers with js/jsd pass in NULL. Smells like dead code?
|
Reporter | |
Comment 1•15 years ago
|
||
Attachment #509700 -
Flags: review?(gal)
|
|
Reporter | |
Updated•15 years ago
|
Summary: NULL reference of jsdc->dumbContext → NULL dereference of jsdc->dumbContext
|
||
Comment 2•15 years ago
|
||
Comment on attachment 509700 [details] [diff] [review]
Fix null deref, eliminate dead code
Why is this dead code? What enters the compartment for JS_InitStandardClases?
|
|
Reporter | |
Comment 3•15 years ago
|
||
Well, if you're asking the question, then it probably isn't dead code. So let me try to explain my assumptions:
There's only one compartment involved here. It is created with the line
jsdc->glob = JS_NewCompartmentAndGlobalObject(jsdc->dumbContext, &global_class, NULL);
I assume that that means that jsdc->dumbContext will be initialized to that compartment and never leave it. Is that incorrect? Will jsdc->dumbContext only enter a compartment if something else happens?
...oh. Looking at the code, JS_NewCompartmentAndGlobalObject does not affect the preexisting cx->compartment. Um, ok, help me out here -- how do contexts initially enter/get assigned a compartment? Someday I'd like to understand this stuff.
But you're right, that isn't dead code. I'll update the patch to just deal with the NULL deref.
|
|
Reporter | |
Comment 4•15 years ago
|
||
Ok, I *think* I have the logic right. If so, this should fix the NULL deref problem, and also leaves the compartment if JS_InitStandardClasses fails. I don't know if the latter is even necessary, since the whole context is getting thrown out anyway.
Attachment #509700 -
Attachment is obsolete: true
Attachment #509703 -
Flags: review?(gal)
Attachment #509700 -
Flags: review?(gal)
|
|
||
Comment 5•15 years ago
|
||
Comment on attachment 509703 [details] [diff] [review]
Avoid NULL deref on error, leave compartment on error
Looks good.
Attachment #509703 -
Flags: review?(gal) → review+
|
|
Reporter | |
Comment 6•14 years ago
|
||
Whiteboard: [fixed-in-tracemonkey]
|
|
Reporter | |
Comment 7•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•14 years ago
|
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
You need to log in
before you can comment on or make changes to this bug.
Description
•