Closed
Bug 1751233
Opened 3 years ago
Closed 3 years ago
Concurrent releases of CompilationStencil could yield to double-free
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
98 Branch
Tracking | Status | |
---|---|---|
firefox98 | --- | fixed |
People
(Reporter: nbp, Assigned: nbp)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
The way Stencils reference count is decremented could yield to an unlikely double free.
We should use the decremented value, instead of reloading the value after decrementing.
I do not think this is could be a security issue prior the introduction of off-thread delazification.
Assignee | ||
Comment 1•3 years ago
|
||
Updated•3 years ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fca6b7c1a5be
Decrement & Compare when releasing stencils. r=arai
Comment 3•3 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox98:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•