Closed Bug 1056898 Opened 11 years ago Closed 11 years ago

Don't free COW elements until the end of object finalization

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1056899

People

(Reporter: bhackett1024, Unassigned)

References

Details

Attachments

(1 file)

patch 11 years ago Brian Hackett [Laid off!] 2.54 KB, patch	bhackett1024 : review?	Details \| Diff \| Splinter Review

Brian Hackett [Laid off!]

Reporter

Description

•

11 years ago

Jon noticed this while working on compacting GC. If an owner object with COW elements is finalized before other objects pointing to its elements are, then during finalization those other objects could use the now freed elements pointer. The attached patch fixes this by not freeing COW elements until the FreeOp itself is destroyed, which will happen after all objects have been finalized.

Andrew McCreight [:mccr8]

Comment 1

•

11 years ago

It looks like this was double-filed. Duping to the other one which is more complete.

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → DUPLICATE

BMO Automation

Updated

•

10 years ago

Group: core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

9 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Don't free COW elements until the end of object finalization

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: bhackett1024, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Updated

Attachment

General

Description

File Name

Content Type