Closed Bug 527004 Opened 15 years ago Closed 15 years ago

Dehydra heap corruption when dehydra_visitFunctionDecl called twice on one node

Categories

(Developer Infrastructure :: Source Code Analysis, defect)

Product:
Developer Infrastructure
Component:
Source Code Analysis
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: philip, Unassigned)

Details

Attachments

(1 file)

patch
988 bytes, patch
Details | Diff | Splinter Review 
When dehydra_visitFunctionDecl is called, it sets *v = NULL. If it's called again with the same 'f', then it reads key = *v, so key = 0. It then calls dehydra_getRootedObject with key = 0, which overwrites the rootedFreeArray root. Eventually GC happens and the unrooted rootedFreeArray gets corrupted.

The attached patch adds some assertions to reduce the chance of rootedFreeArray getting silently overwritten. It also ignores all visits to a function decl after the first.

(I have no idea *why* a declaration gets visited twice - I've only seen it happen in one instance, in the middle of a load of template code, and can't find a short way to reproduce it.)
Attached patch patchSplinter Review 

    
    

    
  
http://hg.mozilla.org/rewriting-and-analysis/dehydra/rev/7fe96a4b48e3
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
  
Product: Core → Firefox Build System

    
  
Product: Firefox Build System → Developer Infrastructure

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: