Closed Bug 959932 Opened 7 years ago Closed 7 years ago

Fix some unsafe address issues in js/src/vm

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla29

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

This does not fix the StackShape bits in GlobalObject or Shape, or the PropDesc stuff in ObjectImpl, because I'm not sure what the right fixes are there.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Comment on attachment 8360202 [details] [diff] [review]
Fix some unsafe address issues in js/src/vm.

Review of attachment 8360202 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/Interpreter.cpp
@@ +84,5 @@
>  #endif
>  LooseEqualityOp(JSContext *cx, FrameRegs &regs)
>  {
> +    HandleValue rval = HandleValue::fromMarkedLocation(&regs.sp[-1]);
> +    HandleValue lval = HandleValue::fromMarkedLocation(&regs.sp[-2]);

regs.stackHandleAt(-1) and (-2), please.
Attachment #8360202 - Flags: review?(sphink) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/1860fe32a32e with that change; thanks for pointing out the sane API!
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla29
https://hg.mozilla.org/mozilla-central/rev/1860fe32a32e
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.