Closed
Bug 332415
Opened 18 years ago
Closed 18 years ago
Double free lurking in js_NewRegExpObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mrbkap, Assigned: brendan)
Details
(Keywords: fixed1.8.1)
Attachments
(1 file)
1.04 KB,
patch
|
brendan
:
review+
brendan
:
approval-branch-1.8.1+
|
Details | Diff | Splinter Review |
I noticed this piece of code the other day: obj = js_NewObject(cx, &js_RegExpClass, NULL, NULL); if (!obj || !JS_SetPrivate(cx, obj, re) || !js_SetLastIndex(cx, obj, 0)) { js_DestroyRegExp(cx, re); In the case that the JS_SetPrivate succeeds and the js_SetLastIndex fails, re is held on to by the object (to be released in its finalizer) but it's also destroyed by the explict call to js_DestroyRegExp. Brendan has a patch.
Assignee | ||
Comment 1•18 years ago
|
||
Assignee | ||
Updated•18 years ago
|
Attachment #216878 -
Flags: approval-branch-1.8.1+
Assignee | ||
Comment 2•18 years ago
|
||
Fixed on trunk and 1.8 branch. /be
Blocks: js1.6rc1
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•