Fix unsafe references near HashableValue::setValue

RESOLVED FIXED in mozilla25

Status

()

Core
JavaScript Engine
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: terrence, Assigned: terrence)

Tracking

(Blocks: 1 bug)

Trunk
mozilla25
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
Created attachment 783261 [details] [diff] [review]
ur_MapObjectSetValue-v0.diff

We can easily make this a HandleValue.
Attachment #783261 - Flags: review?(sphink)
Comment on attachment 783261 [details] [diff] [review]
ur_MapObjectSetValue-v0.diff

Review of attachment 783261 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsiter.h
@@ +299,5 @@
>          ok = ok && Next(cx, iterator, &currentValue);
>          return ok && !currentValue.get().isMagic(JS_NO_ITER_VALUE);
>      }
>  
> +    MutableHandleValue value() {

Why is this a *Mutable*HandleValue? When would you want to change the current value of the iterator? I don't see it used in this patch; am I missing it?

Actually, this doesn't seem like it belongs in this patch at all. It would make more sense in the other patch. Ooh... is it needed there?
Comment on attachment 783261 [details] [diff] [review]
ur_MapObjectSetValue-v0.diff

Review of attachment 783261 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsiter.h
@@ +299,5 @@
>          ok = ok && Next(cx, iterator, &currentValue);
>          return ok && !currentValue.get().isMagic(JS_NO_ITER_VALUE);
>      }
>  
> +    MutableHandleValue value() {

Oh! It was a non-const reference, so the caller can modify the Value at the current point of iteration. Duh.
Attachment #783261 - Flags: review?(sphink) → review+
(Assignee)

Comment 3

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1d49d7996875
https://hg.mozilla.org/mozilla-central/rev/1d49d7996875
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.