1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001
From: Steve Fink <sfink@mozilla.com>
Date: Mon, 12 Jan 2015 14:19:27 -0800
Subject: [PATCH] Bug 1137326 - Fix out of bounds error in
JS_iterateCompartments. r=terrence, a=abillings
---
js/src/gc/Zone.h | 11 ++++++-----
js/src/jsapi.h | 5 +++--
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
index cbbde6b..612defe 100644
--- a/js/src/gc/Zone.h
+++ b/js/src/gc/Zone.h
@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter
// This is for the benefit of CompartmentsIterT::comp.
friend class mozilla::Maybe<CompartmentsInZoneIter>;
private:
- JSCompartment **it, **end;
+ JS::Zone *zone;
+ JSCompartment **it;
CompartmentsInZoneIter()
- : it(nullptr), end(nullptr)
+ : zone(nullptr), it(nullptr)
{}
public:
- explicit CompartmentsInZoneIter(JS::Zone *zone) {
+ explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) {
it = zone->compartments.begin();
- end = zone->compartments.end();
}
bool done() const {
JS_ASSERT(it);
- return it == end;
+ return it < zone->compartments.begin() ||
+ it >= zone->compartments.end();
}
void next() {
JS_ASSERT(!done());
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
index 5ae1f86..40fdb37 100644
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment);
typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment);
/*
- * This function calls |compartmentCallback| on every compartment. Beware that
+ * This function calls |compartmentCallback| on every compartment. Beware that
* there is no guarantee that the compartment will survive after the callback
- * returns.
+ * returns. Also, if the callback can GC, there is no guarantee that every
+ * compartment will be visited.
*/
extern JS_PUBLIC_API(void)
JS_IterateCompartments(JSRuntime *rt, void *data,
--
2.2.1
|