Bug 479353 - Crash [@ Detecting] or "Assertion failure: (uint32)(index_) < atoms_->length, at ../jsobj.cpp". r=igor.

2024-09-13 09:24:08 -07:00 · 2009-02-20 18:22:51 -06:00 · 2009-02-20 18:22:51 -06:00 · bf8b9e17e4
commit bf8b9e17e4
parent f6405f0cb3
1 changed files with 12 additions and 8 deletions
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@ -2020,13 +2020,15 @@ static JS_REQUIRES_STACK JSBool
 Detecting(JSContext *cx, jsbytecode *pc)
 {
    JSScript *script;
+    jsbytecode *endpc;
    JSOp op;
    JSAtom *atom;

-    if (!cx->fp)
-        return JS_FALSE;
    script = cx->fp->script;
+    endpc = script->code + script->length;
    for (;; pc += js_CodeSpec[op].length) {
+        JS_ASSERT(pc < endpc);
+
        /* General case: a branch or equality op follows the access. */
        op = js_GetOpcode(cx, script, pc);
        if (js_CodeSpec[op].format & JOF_DETECTING)
@ -2038,9 +2040,11 @@ Detecting(JSContext *cx, jsbytecode *pc)
             * Special case #1: handle (document.all == null).  Don't sweat
             * about JS1.2's revision of the equality operators here.
             */
-            pc++;
-            op = js_GetOpcode(cx, script, pc);
-            return op == JSOP_EQ || op == JSOP_NE;
+            if (++pc < endpc) {
+                op = js_GetOpcode(cx, script, pc);
+                return *pc == JSOP_EQ || *pc == JSOP_NE;
+            }
+            return JS_FALSE;

          case JSOP_NAME:
            /*
@ -2049,8 +2053,8 @@ Detecting(JSContext *cx, jsbytecode *pc)
             * Edition 3, so is read/write for backward compatibility.
             */
            GET_ATOM_FROM_BYTECODE(script, pc, 0, atom);
-            if (atom == cx->runtime->atomState.typeAtoms[JSTYPE_VOID]) {
-                pc += js_CodeSpec[op].length;
+            if (atom == cx->runtime->atomState.typeAtoms[JSTYPE_VOID] &&
+                (pc += js_CodeSpec[op].length) < endpc) {
                op = js_GetOpcode(cx, script, pc);
                return op == JSOP_EQ || op == JSOP_NE ||
                       op == JSOP_STRICTEQ || op == JSOP_STRICTNE;
@ -2097,7 +2101,7 @@ InferFlags(JSContext *cx, uintN defaultFlags)
        flags |= JSRESOLVE_ASSIGNING;
    } else {
        pc += cs->length;
-        if (Detecting(cx, pc))
+        if (pc < cx->fp->script->code + cx->fp->script->length && Detecting(cx, pc))
            flags |= JSRESOLVE_DETECTING;
    }
    if (format & JOF_DECLARING)