10994 - nsArena crashes if destroyed before Init()

Status: VERIFIED FIXED

(Core :: XPCOM, defect, P1)

Description

[rginda]

~nsArena calls PL_FinishArenaPool(&mPool); without checking to see if
the pool was initialized.  The included patch adds an mInitialized member
to the class.  I'd guess there is probably a Better Way.


Index: nsArena.cpp
===================================================================
RCS file: /cvsroot/mozilla/xpcom/ds/nsArena.cpp,v
retrieving revision 3.4
diff -u -r3.4 nsArena.cpp
--- nsArena.cpp 1999/07/28 08:27:38     3.4
+++ nsArena.cpp 1999/07/31 06:51:07
@@ -20,6 +20,7 @@
 #include "nsCRT.h"

 ArenaImpl::ArenaImpl(void)
+    : mInitialized(PR_FALSE)
 {
   NS_INIT_REFCNT();
   nsCRT::memset(&mPool, 0, sizeof(PLArenaPool));
@@ -33,6 +34,7 @@
   }
   PL_INIT_ARENA_POOL(&mPool, "nsIArena", aBlockSize);
   mBlockSize = aBlockSize;
+  mInitialized = PR_TRUE;
   return NS_OK;
 }

@@ -40,7 +42,8 @@

 ArenaImpl::~ArenaImpl()
 {
-  PL_FinishArenaPool(&mPool);
+  if (mInitialized)
+    PL_FinishArenaPool(&mPool);
 }

 NS_IMETHODIMP_(void*)
Index: nsArena.h
===================================================================
RCS file: /cvsroot/mozilla/xpcom/ds/nsArena.h,v
retrieving revision 1.2
diff -u -r1.2 nsArena.h
--- nsArena.h   1999/07/28 08:27:38     1.2
+++ nsArena.h   1999/07/31 06:51:07
@@ -42,6 +42,10 @@
 protected:
   PLArenaPool mPool;
   PRUint32 mBlockSize;
+
+private:
+  PRBool mInitialized;
+
 };

 #endif // nsArena_h__

Comment 1

[rginda]

oops...

-  PL_FinishArenaPool(&mPool);
+  if (mInitialized)
+    PL_FinishArenaPool(&mPool);

that should be
-  PL_FinishArenaPool(&mPool);
+  if (mInitialized)
+    PL_FinishArenaPool(&mPool);
+
+  mInitialized = PR_FALSE;

Comment 2

[Peter Trudelle]

Shouldn't this be critical severity, since it crashes?

Comment 3

[Warren Harris]

I thought I fixed this a while back. Maybe it never got checked in.
Someone should verify.

Comment 4

[Scott Collins]

this is a crasher, it needs to be a high priority