Bug 1019810: Crashing in InlineFrameIterator::findNextFrame() with MOZ_CRASH when numActualArgs_ fails to get initialized, r=h4writer

2025-03-02 22:37:50 +00:00 · 2014-08-25 17:55:27 +05:30 · 2014-08-25 17:55:27 +05:30 · 995b8b1c13
commit 995b8b1c13
parent e49b1d978d
1 changed files with 2 additions and 3 deletions
--- a/js/src/jit/IonFrames.cpp
+++ b/js/src/jit/IonFrames.cpp
@ -1875,9 +1875,7 @@ InlineFrameIterator::findNextFrame()
    si_.settleOnFrame();

    pc_ = script_->offsetToPC(si_.pcOffset());
-#ifdef DEBUG
    numActualArgs_ = 0xbadbad;
-#endif

    // This unfortunately is O(n*m), because we must skip over outer frames
    // before reading inner ones.
@ -1904,7 +1902,8 @@ InlineFrameIterator::findNextFrame()
            numActualArgs_ = 1;
        }

-        JS_ASSERT(numActualArgs_ != 0xbadbad);
+        if (numActualArgs_ == 0xbadbad)
+            MOZ_CRASH("Couldn't deduce the number of arguments of an ionmonkey frame");

        // Skip over non-argument slots, as well as |this|.
        unsigned skipCount = (si_.numAllocations() - 1) - numActualArgs_ - 1;