64 lines
2.0 KiB
Diff
64 lines
2.0 KiB
Diff
From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001
|
|
From: Steve Fink <sfink@mozilla.com>
|
|
Date: Mon, 12 Jan 2015 14:19:27 -0800
|
|
Subject: [PATCH] Bug 1137326 - Fix out of bounds error in
|
|
JS_iterateCompartments. r=terrence, a=abillings
|
|
|
|
---
|
|
js/src/gc/Zone.h | 11 ++++++-----
|
|
js/src/jsapi.h | 5 +++--
|
|
2 files changed, 9 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
|
|
index cbbde6b..612defe 100644
|
|
--- a/js/src/gc/Zone.h
|
|
+++ b/js/src/gc/Zone.h
|
|
@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter
|
|
// This is for the benefit of CompartmentsIterT::comp.
|
|
friend class mozilla::Maybe<CompartmentsInZoneIter>;
|
|
private:
|
|
- JSCompartment **it, **end;
|
|
+ JS::Zone *zone;
|
|
+ JSCompartment **it;
|
|
|
|
CompartmentsInZoneIter()
|
|
- : it(nullptr), end(nullptr)
|
|
+ : zone(nullptr), it(nullptr)
|
|
{}
|
|
|
|
public:
|
|
- explicit CompartmentsInZoneIter(JS::Zone *zone) {
|
|
+ explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) {
|
|
it = zone->compartments.begin();
|
|
- end = zone->compartments.end();
|
|
}
|
|
|
|
bool done() const {
|
|
JS_ASSERT(it);
|
|
- return it == end;
|
|
+ return it < zone->compartments.begin() ||
|
|
+ it >= zone->compartments.end();
|
|
}
|
|
void next() {
|
|
JS_ASSERT(!done());
|
|
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
|
|
index 5ae1f86..40fdb37 100644
|
|
--- a/js/src/jsapi.h
|
|
+++ b/js/src/jsapi.h
|
|
@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment);
|
|
typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment);
|
|
|
|
/*
|
|
- * This function calls |compartmentCallback| on every compartment. Beware that
|
|
+ * This function calls |compartmentCallback| on every compartment. Beware that
|
|
* there is no guarantee that the compartment will survive after the callback
|
|
- * returns.
|
|
+ * returns. Also, if the callback can GC, there is no guarantee that every
|
|
+ * compartment will be visited.
|
|
*/
|
|
extern JS_PUBLIC_API(void)
|
|
JS_IterateCompartments(JSRuntime *rt, void *data,
|
|
--
|
|
2.2.1
|
|
|