Bug 568007 - js_GetReservedSlot is too friendly to api abusers r=jorendorff
authortimeless <timeless@bemail.org>
Mon, 28 Jun 2010 12:00:07 +0200
changeset 46337 9c85f9aaec8c8f2524b15e09193605834f083299
parent 46336 1233da24d7f3cc74a97af5f07d1b2ea1983668b1
child 46338 c39ab74a7da1ee3fed89fd41477df084682e4f26
push id1
push userroot
push dateTue, 26 Apr 2011 22:38:44 +0000
treeherdermozilla-beta@bfdb6e623a36 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs568007
milestone1.9.3a6pre
first release with
nightly linux32
9c85f9aaec8c / 3.7a6pre / 20100628031010 / files
nightly linux64
9c85f9aaec8c / 3.7a6pre / 20100628031135 / files
nightly mac
9c85f9aaec8c / 3.7a6pre / 20100628030804 / files
nightly win32
9c85f9aaec8c / 3.7a6pre / 20100628035917 / files
nightly win64
9c85f9aaec8c / 3.7a6pre / 20100628035811 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 568007 - js_GetReservedSlot is too friendly to api abusers r=jorendorff
js/src/jsobj.cpp
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -6228,18 +6228,17 @@ js_GetReservedSlot(JSContext *cx, JSObje
         *vp = JSVAL_VOID;
         return true;
     }
 
     JSClass *clasp = obj->getClass();
     uint32 limit = JSCLASS_RESERVED_SLOTS(clasp);
 
     JS_LOCK_OBJ(cx, obj);
-    if (index >= limit && !ReservedSlotIndexOK(cx, obj, clasp, index, limit))
-        return false;
+    JS_ASSERT(index < limit || ReservedSlotIndexOK(cx, obj, clasp, index, limit));
 
     uint32 slot = JSSLOT_START(clasp) + index;
     *vp = (slot < obj->numSlots()) ? obj->getSlot(slot) : JSVAL_VOID;
     JS_UNLOCK_OBJ(cx, obj);
     return true;
 }
 
 bool