Closed
Bug 959208
Opened 11 years ago
Closed 11 years ago
Crash [@ js::BarrieredValue::pre] or Crash [@ getClass] due to unhandled OOM in CloneObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: decoder)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want)
Crash Data
Attachments
(1 file)
|
1.39 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
This code in CloneObject does not check the return value of CloneFunctionObject before using it, causing crashes:
> clone = CloneFunctionObject(cx, fun, cx->global(), kind, TenuredObject);
> // To be able to re-lazify the cloned function, its name in the
> // self-hosting compartment has to be stored on the clone.
> if (hasName)
> clone->as<JSFunction>().setExtendedSlot(0, StringValue(fun->atom()));
Patch attached.
Attachment #8359260 -
Flags: review?(jdemooij)
|
||
Comment 1•11 years ago
|
||
Comment on attachment 8359260 [details] [diff] [review]
clone-oom.patch
Review of attachment 8359260 [details] [diff] [review]:
-----------------------------------------------------------------
Good catch.
Attachment #8359260 -
Flags: review?(jdemooij) → review+
|
Assignee | |
Comment 2•11 years ago
|
||
|
||
Comment 3•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
||
Comment 4•11 years ago
|
||
Socorro shows no crashes with the signatures in this bug for the last 4 weeks.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in
before you can comment on or make changes to this bug.
Description
•