Closed Bug 56482 Opened 24 years ago Closed 24 years ago

JS obj.toSource can crash racing with delete

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: brendan, Assigned: brendan)

Details

(Keywords: js1.5)

Attachments

(3 files)

The OBJ_LOOKUP_PROPERTY at http://lxr.mozilla.org/mozilla/source/js/src/jsobj.c#595 may fail if one of the id's returned by OBJ_ENUMERATE is deleted, or if an implementation of enumerate overstates what properties are truly there. Not only will prop be null, so will obj2 -- which is used a few lines later without a null check. Patch coming up.
Looking for r/a= as usual. Trunk only. /be
Status: NEW → ASSIGNED
Keywords: js1.5
Attached patch proposed fix (deleted) — Splinter Review
Is there an easy test case for this one? I don't fully understand it, but would like to add a test case -
Apart from writing an OBJ_ENUMERATE that "exaggerates", you could try racing delete with enumerate -- but you'd need a multi-threaded test harness (js or xpc shell). /be
Looks like good obj2/prop null-protection. Sorry for the lag. sr=shaver.
r=jband
Fix in trunk. Not going for branch. /be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking Verified -
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: