Closed
Bug 527004
Opened 15 years ago
Closed 15 years ago
Dehydra heap corruption when dehydra_visitFunctionDecl called twice on one node
Categories
(Developer Infrastructure :: Source Code Analysis, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: philip, Unassigned)
Details
Attachments
(1 file)
988 bytes,
patch
|
Details | Diff | Splinter Review |
When dehydra_visitFunctionDecl is called, it sets *v = NULL. If it's called again with the same 'f', then it reads key = *v, so key = 0. It then calls dehydra_getRootedObject with key = 0, which overwrites the rootedFreeArray root. Eventually GC happens and the unrooted rootedFreeArray gets corrupted. The attached patch adds some assertions to reduce the chance of rootedFreeArray getting silently overwritten. It also ignores all visits to a function decl after the first. (I have no idea *why* a declaration gets visited twice - I've only seen it happen in one instance, in the middle of a load of template code, and can't find a short way to reproduce it.)
Reporter | ||
Comment 1•15 years ago
|
||
Comment 2•15 years ago
|
||
http://hg.mozilla.org/rewriting-and-analysis/dehydra/rev/7fe96a4b48e3
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Product: Core → Firefox Build System
Updated•2 years ago
|
Product: Firefox Build System → Developer Infrastructure
You need to log in
before you can comment on or make changes to this bug.
Description
•