Open Bug 265788 Opened 21 years ago Updated 10 months ago

Pref API is happy to free observer nodes which are currently being run

Categories

(Core :: Preferences: Backend, defect)

defect

Tracking

()

People

(Reporter: bugzilla-mozilla-20000923, Unassigned)

References

Details

While working out what was going on in bug 255494, I found that pref branches are quite happy to remove an observer that is currently running, however, in doing this is goes and frees the observer node for it which is being used higher in the stack! If you look at the stack in attachment 163142 [details], you see frame 0x0D/0x0C are running the callback - which has it's memory freed in frame 0x00.
The problem is that when the observer finally unwides, it finds itself without a valid |node| at http://lxr.mozilla.org/mozilla/source/modules/libpref/src/prefapi.cpp#862 and crashes on MacOSX and FreeBSD. I don't know why it doesn't crash on Win/Lin - but I know the memory is freed on Win32 at least.
That appears to be the same basic issue, though occuring quite differently (it looks like the pref system is observing the change and releasing the observer, rather than some external code).
(Filter "spam" on 'prefs-nobody-20080612'.)
Assignee: prefs → nobody
QA Contact: prefs
QA Contact: preferences → preferences-backend
Severity: normal → S3
Flags: needinfo?(documentation)
You need to log in before you can comment on or make changes to this bug.