Bug 785805 - Segmentation fault when calling %ThrowError for message with three arguments. r=tschneidereit
authorNorbert Lindenberg <mozilladev@lindenbergsoftware.com>
Tue, 28 Aug 2012 20:03:00 +0200
changeset 105795 67c5a4852b9f85cb48c40ed2bf8f279b927e0a6a
parent 105794 17b1db7b293fdfe59b4f2b558023129b5d804cf4
child 105796 cf396cb6d4af6f1110c4635f8e41db788d82931b
push id55
push usershu@rfrn.org
push dateThu, 30 Aug 2012 01:33:09 +0000
reviewerstschneidereit
bugs785805
milestone18.0a1
Bug 785805 - Segmentation fault when calling %ThrowError for message with three arguments. r=tschneidereit
js/src/vm/GlobalObject.cpp
--- a/js/src/vm/GlobalObject.cpp
+++ b/js/src/vm/GlobalObject.cpp
@@ -209,17 +209,17 @@ intrinsic_IsCallable(JSContext *cx, unsi
 static JSBool
 intrinsic_ThrowError(JSContext *cx, unsigned argc, Value *vp)
 {
     CallArgs args = CallArgsFromVp(argc, vp);
     JS_ASSERT(args.length() >= 1);
     uint32_t errorNumber = args[0].toInt32();
 
     char *errorArgs[3] = {NULL, NULL, NULL};
-    for (unsigned i = 1; i < 3 && i < args.length(); i++) {
+    for (unsigned i = 1; i < 4 && i < args.length(); i++) {
         RootedValue val(cx, args[i]);
         if (val.isInt32() || val.isString()) {
             errorArgs[i - 1] = JS_EncodeString(cx, ToString(cx, val));
         } else {
             ptrdiff_t spIndex = cx->stack.spIndexOf(val.address());
             errorArgs[i - 1] = DecompileValueGenerator(cx, spIndex, val, NullPtr(), 1);
         }
     }