Closed Bug 831050 Opened 13 years ago Closed 2 years ago

Ensure that the operation callback can't corrupt cx->iterValue

Tracking

()

Status:

RESOLVED DUPLICATE of bug 831585

People

(Reporter: jimb, Unassigned)

Details

Jim Blandy :jimb

Reporter

Description

•

13 years ago

In a for-in loop, the JSOP_MOREITER bytecode sometimes stashes the next iteration's value in cx->iterValue for the JSOP_ITERNEXT bytecode to retrieve. cx->iterValue is assumed to be live only between those two opcodes, where no other JS can intervene (not even for toString or getters or proxy traps or other common sources of unexpected JS execution), so cx->iterValue is never saved and restored; MOREITER just whacks its value in there, and ITERNEXT takes it out. (In DEBUG code, we do store a magic value in there when it's 'empty', and do the usual assertions.) However, the operation callback can cause arbitrary JS code to run between those two opcodes. If the operation callback runs between a MOREITER and an ITERNEXT, and callback code uses a for-in loop itself, that inner loop will wipe out the outer loop's cx->iterValue value. The right fix is bug 777596, but that's a pretty big project. However, something like the PreserverIterValue kludge in js/src/vm/Debugger.cpp would probably address this problem fine

Nobody; OK to take it and work on it

Assignee

Updated

•

11 years ago

Assignee: general → nobody

BMO Automation

Updated

•

3 years ago

Severity: normal → S3

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

2 years ago

Status: NEW → RESOLVED

Closed: 2 years ago

Duplicate of bug: 831585

Resolution: --- → DUPLICATE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Ensure that the operation callback can't corrupt cx->iterValue

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: jimb, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated