Closed
Bug 1598082
Opened 6 years ago
Closed 6 years ago
ModuleObject::instantiateFunctionDeclarations should be clearer about ownership of |funDecls|
Categories
(Core :: JavaScript Engine, task, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla72
| Tracking | Status | |
|---|---|---|
| firefox72 | --- | fixed |
People
(Reporter: Waldo, Assigned: Waldo)
Details
Attachments
(1 file)
ModuleObject::instantiateFunctionDeclarations grabs an owning funDecls pointer, iterates through its contents filling in stuff in the actual module environment, then frees funDecls and returns. But that filling-in process can fail. (I don't remember module semantics enough to know if this is triggerable other than by OOM.) And if it does, funDecls will never be freed.
|
||
Comment 1•6 years ago
|
||
(In reply to Jeff Walden [:Waldo] from comment #0)
But that filling-in process can fail.
In that case the pointer is freed by the module object's finalizer: https://searchfox.org/mozilla-central/source/js/src/builtin/ModuleObject.cpp#780-783
|
||
Updated•6 years ago
|
Priority: -- → P3
|
Assignee | |
Comment 2•6 years ago
|
||
Oh, bah -- that finalizer relationship is not horribly clear when you read this. Let's add some comments.
Summary: ModuleObject::instantiateFunctionDeclarations leaks |funDecls| in some failure cases → ModuleObject::instantiateFunctionDeclarations should be clearer about ownership of |funDecls|
|
|
Assignee | |
Comment 3•6 years ago
|
||
|
||
Updated•6 years ago
|
Assignee: nobody → jwalden
Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/autoland/rev/73eab6e12fdb
Add comments to |ModuleObject::instantiateFunctionDeclarations| clarifying ownership of |funDecls|. r=jonco
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox72:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in
before you can comment on or make changes to this bug.
Description
•